我们正在使用Request Rate and Performance Considerations中的代码实现Content Security Policy (CSP),它工作正常,但有时会抛出FileNotFoundException。我们使用了一些不存在的参考CSS文件。浏览器会忽略它们,因此这对应用程序来说不是问题,但是我需要在拦截器中处理异常,并且仍然可以获得CSP的好处。
我们的代码是
public String intercept(ActionInvocation invocation) throws Exception {
final ActionContext ac = invocation.getInvocationContext();
HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RESPONSE);
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy", "default-src 'self'; "
+ " script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com ; "
+ " style-src 'self' 'unsafe-inline';"
+ " font-src 'self' ;"
+ " img-src 'self' ;"
+ " connect-src 'self' ;");
response.addHeader("X-XSS-Protection", "1; mode=block");
response.addHeader("Referrer-Policy", "no-referrer-when-downgrade");
response.addHeader("X-Content-Type-Options", "nosniff");
return invocation.invoke();
}