Consider having HeaderWriters check before writing #6456
Conversation
ankurpathak
force-pushed
the
gh-6454-fix
branch
from
bbe5d74 to
532ec33
Compare
ankurpathak
force-pushed
the
gh-6454-fix
branch
3 times, most recently
from
eeacf8b to
5366b42
Compare
| @@ -61,7 +62,7 @@ public void writeHeaders(HttpServletRequest request, HttpServletResponse respons | |||
| } | |||
|
|
|||
| private boolean hasHeader(HttpServletResponse response, String headerName) { | |||
| return response.getHeader(headerName) != null; | |||
| return response.containsHeader(headerName); | |||
There was a problem hiding this comment.
Thanks for the cleanup, but since it isn't necessary for this PR and this is the only change to this class, let's leave this file out for now.
| @@ -100,7 +101,10 @@ public ContentSecurityPolicyHeaderWriter(String policyDirectives) { | |||
| */ | |||
| @Override | |||
| public void writeHeaders(HttpServletRequest request, HttpServletResponse response) { | |||
| response.setHeader((!reportOnly ? CONTENT_SECURITY_POLICY_HEADER : CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER), policyDirectives); | |||
| String headerName = !reportOnly ? CONTENT_SECURITY_POLICY_HEADER : CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER; | |||
| if (!response.containsHeader(headerName)) { | |||
There was a problem hiding this comment.
It would be good to have tests that confirm this behavior now for each header writer. Something that demonstrates if the header is already present, now it doesn't get overridden.
|
Also, @ankurpathak would you please update the commit message to indicate that this fixes #5193 as well? |
ankurpathak
force-pushed
the
gh-6454-fix
branch
from
5366b42 to
6c49ecf
Compare
I tried to fix it as well. But not sure if I am correct. I listed issues by space separated list. |
| public void writeHeaderOnlyIfNotPresentContentSecurityPolicyHeader(){ | ||
| this.response = spy(this.response); | ||
| doReturn(true).when(response).containsHeader(CONTENT_SECURITY_POLICY_HEADER); |
There was a problem hiding this comment.
These tests might be a bit brittle since they depend on how the writer is verifying the existence of the header.
If the tests did:
String value = new String("value");
this.response.setHeader(CONTENT_SECURITY_POLICY_HEADER, value);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(CONTENT_SECURITY_POLICY_HEADER)).isSameAs(value);Then it would verify regardless of the way the writer implemented the check.
| @Test | ||
| public void writeHeadersWhenWhiteList() { | ||
| WhiteListedAllowFromStrategy whitelist = new WhiteListedAllowFromStrategy(Arrays.asList("example.com")); | ||
| WhiteListedAllowFromStrategy whitelist = new WhiteListedAllowFromStrategy(Collections.singletonList("example.com")); |
There was a problem hiding this comment.
Is this change necessary for this PR? I see that you are using Collections.singletonList below in your test, but I'd recommend bringing other tests into conformance be in a different PR. (For example, you could also change old tests to refer to member variables via this., but we aren't doing that here since that isn't the purpose of this PR)
| * @since 5.0 | ||
| */ | ||
| public class XFrameOptionsHeaderWriterTests { | ||
| private MockHttpServletRequest request = new MockHttpServletRequest(); | ||
| private MockHttpServletResponse response = new MockHttpServletResponse(); | ||
|
|
||
| public static final String XFRAME_OPTIONS_HEADER = "X-Frame-Options"; |
There was a problem hiding this comment.
Let's leave this private so you don't have to worry about other classes accessing it.
| @@ -20,21 +20,32 @@ | |||
| import org.springframework.mock.web.MockHttpServletRequest; | |||
| import org.springframework.mock.web.MockHttpServletResponse; | |||
|
|
|||
| import java.util.Arrays; | |||
| import java.util.Collections; | |||
There was a problem hiding this comment.
Will you update the copyright year here, please, and any other files you edit where it doesn't yet say 2019?
ankurpathak
force-pushed
the
gh-6454-fix
branch
from
6c49ecf to
486c29d
Compare
All HeadersWriter only write Header if its not already written. Fixes: spring-projectsgh-6454 spring-projectsgh-5193
ankurpathak
force-pushed
the
gh-6454-fix
branch
from
486c29d to
76fe944
Compare
|
Thanks again, @ankurpathak! This is now merged into |
jzheaux
added
status: duplicate
All HeadersWriter only write Header if its not already
written.
Fixes: gh-6454