如何在Spring中添加HTTP“Feature-Policy”头

Question

我需要添加HTTP“Feature-Policy”响应头，但我没有找到任何在spring头中实现这一点的方法，比如-

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
    }

我可以看到规范草案here，但关于在Spring中使用它的内容并不多。任何建议都将不胜感激。

Answer 1

要创建自定义标头，应使用addHeaderWriter并添加StaticHeadersWriter

示例：

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
            .and()
            .addHeaderWriter(new StaticHeadersWriter("Feature-Policy", "vibrate 'none'; usermedia 'none'"));
    }
}

Answer 2

Spring Security在5.1中引入了对Feature-Policy的支持，因此可以将其配置为其他标头：

http
    .headers()
        .featurePolicy("geolocation 'none'");

对于5.2+版本，代码略有不同：

http
    .headers(headers ->
        headers.featurePolicy("geolocation 'none'")
    );

有关详细信息，请参阅文档：

• https://docs.spring.io/spring-security/site/docs/5.1.x/reference/html/default-security-headers-2.html#webflux-headers-feature-configure
• https://docs.spring.io/spring-security/site/docs/5.4.x/reference/html5/#servlet-headers-feature

更新： @granty指出Feature-Policy头已重命名为Permissions-Policy。即将发布的Spring Security 5.5.0-M2将支持它。下面是它的外观：

http
    .headers(headers ->
        headers.permissionsPolicy(permissions ->
            permissions.policy("geolocation=(self)")
        )
    );

另请参阅相关的拉取请求：#9265