Modify Content Security Policy to allow LiveReload when devtools enabled

Question

Modify Content Security Policy to allow LiveReload when devtools enabled

Closed this issue 8 years ago · 10 comments

When Spring Boot's devtools are enabled it would be nice if we could automatically modify the Content Security Policy (CSP) to allow LiveReload. Otherwise when using a more restrictive CSP the following error occurs:

Refused to connect to 'ws://127.0.0.1:35729/livereload' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Currently this will only be relevant if someone has enabled CSP through the generic header support. For example:

http
    .headers()
        .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy","default-src 'self'"))

This will be especially important when Spring Security 4.1 is released which will provide a simple DSL for adding CSP (this is not yet pushed to master). See SEC-2117 for tracking. In that case something like this will prevent the LiveReload from working in the browser:

http
    .headers()
        .csp()
            .defaultSrc().self();

This can be worked around using something like this:

http
    .headers()
        .csp()
            .defaultSrc().self().sources("ws://127.0.0.1:35729");

However, this is not ideal since this would not be suitable for production.

Answer 1 · 2015-09-04T18:36:19.000Z

Will it be possible to add the .sources("ws...") element after the fact?

i.e the user types:

http
    .headers()
        .csp()
            .defaultSrc().self();

And if devtools is running we change it to include sources("ws://127.0.0.1:35729").

Answer 2 · 2015-09-04T18:43:00.000Z

@philwebb I think part of this issue will be to figure out how best to make this work.

One feature I have been considering is adding a hook into Spring Security that allows modifying any arbitrary HttpSecurity instance. This feature would be an ideal candidate for that. Not to mention it would make some of the other features in boot more useful. For example, the security properties could apply to any HttpSecurity instance rather than just the ones boot creates which are often times ignored once the user does anything with web security.

Alternatively it may be possible to do this with a generic HttpServletResponseWrapper that checks the headers.

Answer 3 · 2015-09-04T18:46:45.000Z

I figured I ask in case you needed to add some hook before Spring Security 4.1 is GA

Answer 4 · 2015-09-04T18:48:18.000Z

@philwebb Thanks for checking. I will be sure to coordinate between the two projects to ensure Boot has a hook to make this possible.

Answer 5 · 2015-09-04T18:50:13.000Z

PS: I went ahead and created SEC-2117 to track this

Answer 6 · 2018-03-22T19:56:06.000Z

Waiting on spring-projects/spring-security#3305

Answer 7 · 2018-03-22T20:31:21.000Z

We never ended up creating a DSL for CSP & do not have plans for doing so since CSP is a moving target. I'm not sure how feasible this feature is without the DSL within Spring Security. One option might be to use a servlet Filter that wraps the response and customizes the header if it is written.

Answer 8 · 2018-03-22T21:34:31.000Z

@rwinch I thought this added that?

Answer 9 · 2018-03-22T21:38:15.000Z

@mbhave It added very basic support. There is just a value attribute but nothing like what was described above. For example it looks like this:

.headers()
    .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");

Answer 10 · 2018-03-23T14:47:37.000Z

I see. I think we should close this issue in that case.