reworked Content-Security-Policy header, special case for Binary

To support using Binary resources for HTML reports with inline css and java-script, adding a special case for Binary resources with content-type 'text/html'. Disabling inline css and java-script does not improve security since users that can create malicious Binary resource with HTML can also create malicious Binary resources with css or java-script.
datasharingframework · Oct 31, 2023 · c69fdb4 · c69fdb4
1 parent 39c0f0b
commit c69fdb4
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/...erver/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java b/...erver/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java
@@ -29,8 +29,16 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
 			headers.add("Cross-Origin-Embedder-Policy", "require-corp");
 			headers.add("Cross-Origin-Resource-Policy", "same-site");
 			headers.add("Permissions-Policy", "geolocation=(), camera=(), microphone=()");
-			headers.add("Content-Security-Policy",
-					"frame-ancestors 'none'; default-src 'self'; frame-src 'none'; media-src 'none'; object-src 'none'; worker-src 'none'");
+
+			if (requestContext.getUriInfo() != null && requestContext.getUriInfo().getPath() != null
+					&& requestContext.getUriInfo().getPath().startsWith("Binary/"))
+				headers.add("Content-Security-Policy",
+						"base-uri 'self'; frame-ancestors 'none'; form-action 'self'; default-src 'none'; connect-src 'self'; img-src 'self';"
+								+ " script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
+			else
+				headers.add("Content-Security-Policy",
+						"base-uri 'self'; frame-ancestors 'none'; form-action 'self'; default-src 'none'; connect-src 'self'; img-src 'self';"
+								+ " script-src 'self'; style-src 'self'");
 		}
 	}
 }