aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlain Kermis <alain.kermis@sonarsource.com>2024-07-26 13:50:56 +0200
committersonartech <sonartech@sonarsource.com>2024-07-26 20:02:48 +0000
commitda791972bb7615fc426acab1f406d08d3b91ef1a (patch)
tree458d62dce0a9bb31101fe3b7e6fc8ebb380e58f7
parent56451da6860dbd75ff978a2b6c1a6a3bbb23cc56 (diff)
downloadsonarqube-da791972bb7615fc426acab1f406d08d3b91ef1a.tar.gz
sonarqube-da791972bb7615fc426acab1f406d08d3b91ef1a.zip
SONAR-22149 Drop Cross-Origin related HTTP security headers
Diffstat
-rw-r--r--server/sonar-web/public/WEB-INF/web.xml9
-rw-r--r--server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CrossOriginFilter.java59
-rw-r--r--server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CrossOriginFilterTest.java73
3 files changed, 0 insertions, 141 deletions
diff --git a/server/sonar-web/public/WEB-INF/web.xml b/server/sonar-web/public/WEB-INF/web.xml
index 0a1414eab7a..b5d4912371d 100644
--- a/server/sonar-web/public/WEB-INF/web.xml
+++ b/server/sonar-web/public/WEB-INF/web.xml
@@ -63,11 +63,6 @@
<async-supported>true</async-supported>
</filter>
<filter>
- <filter-name>CrossOriginFilter</filter-name>
- <filter-class>org.sonar.server.platform.web.CrossOriginFilter</filter-class>
- <async-supported>true</async-supported>
- </filter>
- <filter>
<filter-name>EndpointPathFilter</filter-name>
<filter-class>org.sonar.server.platform.web.EndpointPathFilter</filter-class>
<async-supported>true</async-supported>
@@ -107,10 +102,6 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name>CrossOriginFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
<filter-name>UserSessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CrossOriginFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CrossOriginFilter.java
deleted file mode 100644
index 73cb9bac8f3..00000000000
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CrossOriginFilter.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.server.platform.web;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-
-public class CrossOriginFilter implements Filter {
-
- private final Map<String, String> crossOriginHeaders = new HashMap<>();
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- crossOriginHeaders.put("Cross-Origin-Embedder-Policy", "require-corp");
- crossOriginHeaders.put("Cross-Origin-Opener-Policy", "same-origin");
- crossOriginHeaders.put("Cross-Origin-Resource-Policy", "same-origin");
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- // Add policies to all HTTP headers
- for (Map.Entry<String, String> entry : crossOriginHeaders.entrySet()) {
- ((HttpServletResponse) response).setHeader(entry.getKey(), entry.getValue());
- }
-
- chain.doFilter(request, response);
- }
-
- @Override
- public void destroy() {
- // Not used
- }
-
-}
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CrossOriginFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CrossOriginFilterTest.java
deleted file mode 100644
index ae307b5b2ed..00000000000
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CrossOriginFilterTest.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.server.platform.web;
-
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.junit.Before;
-import org.junit.Test;
-
-import static org.mockito.Mockito.RETURNS_MOCKS;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class CrossOriginFilterTest {
-
- private static final String TEST_CONTEXT = "/sonarqube";
- private final ServletContext servletContext = mock(ServletContext.class, RETURNS_MOCKS);
- private final HttpServletResponse response = mock(HttpServletResponse.class);
- private final FilterChain chain = mock(FilterChain.class);
- private final CrossOriginFilter underTest = new CrossOriginFilter();
- FilterConfig config = mock(FilterConfig.class);
-
- @Before
- public void setUp() throws ServletException {
- when(servletContext.getContextPath()).thenReturn(TEST_CONTEXT);
- }
-
- @Test
- public void doInit_whenCalled_shouldSetHeaders() throws Exception {
- doInit();
- HttpServletRequest request = newRequest("/");
- underTest.doFilter(request, response, chain);
- verify(response).setHeader("Cross-Origin-Embedder-Policy", "require-corp");
- verify(response).setHeader("Cross-Origin-Opener-Policy", "same-origin");
- verify(response).setHeader("Cross-Origin-Resource-Policy", "same-origin");
- verify(chain).doFilter(request, response);
- }
-
- private void doInit() throws ServletException {
- underTest.init(config);
- }
-
- private HttpServletRequest newRequest(String path) {
- HttpServletRequest req = mock(HttpServletRequest.class);
- when(req.getMethod()).thenReturn("GET");
- when(req.getRequestURI()).thenReturn(path);
- when(req.getContextPath()).thenReturn("");
- when(req.getServletContext()).thenReturn(this.servletContext);
- return req;
- }
-}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-07 07:06:09 +0000