Skip to content

Commit

Permalink
fix-29006 reportOnly flag on ResponseHeadersContentSecurityPolicy
Browse files Browse the repository at this point in the history
  • Loading branch information
dillonstreator committed Feb 8, 2024
1 parent 431df3b commit f47fe50
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 2 deletions.
32 changes: 30 additions & 2 deletions packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -114,13 +114,36 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
maxLength: 128,
});

let securityHeadersBehavior = props.securityHeadersBehavior;
let customHeadersBehavior = props.customHeadersBehavior;

if (securityHeadersBehavior?.contentSecurityPolicy?.reportOnly) {
const reportOnlyCSPHeader = {
header: 'Content-Security-Policy-Report-Only',
value: securityHeadersBehavior.contentSecurityPolicy.contentSecurityPolicy,
override: true,
};
securityHeadersBehavior = {
...securityHeadersBehavior,
contentSecurityPolicy: undefined,
};

if (!customHeadersBehavior) {
customHeadersBehavior = {
customHeaders: [],
}
}
// TODO: log a warning if custom headers already contains CSP-Report-Only header?
customHeadersBehavior.customHeaders.push(reportOnlyCSPHeader);
}

const resource = new CfnResponseHeadersPolicy(this, 'Resource', {
responseHeadersPolicyConfig: {
name: responseHeadersPolicyName,
comment: props.comment,
corsConfig: props.corsBehavior ? this._renderCorsConfig(props.corsBehavior) : undefined,
customHeadersConfig: props.customHeadersBehavior ? this._renderCustomHeadersConfig(props.customHeadersBehavior) : undefined,
securityHeadersConfig: props.securityHeadersBehavior ? this._renderSecurityHeadersConfig(props.securityHeadersBehavior) : undefined,
customHeadersConfig: customHeadersBehavior ? this._renderCustomHeadersConfig(customHeadersBehavior) : undefined,
securityHeadersConfig: securityHeadersBehavior ? this._renderSecurityHeadersConfig(securityHeadersBehavior) : undefined,
removeHeadersConfig: props.removeHeaders ? this._renderRemoveHeadersConfig(props.removeHeaders) : undefined,
serverTimingHeadersConfig: props.serverTimingSamplingRate ? this._renderServerTimingHeadersConfig(props.serverTimingSamplingRate) : undefined,
},
Expand Down Expand Up @@ -337,6 +360,11 @@ export interface ResponseHeadersContentSecurityPolicy {
* received from the origin with the one specified in this response headers policy.
*/
readonly override: boolean;

/**
* A Boolean that determines whether CloudFront includes the -Report-Only suffix in the Content-Security-Policy HTTP response header.
*/
readonly reportOnly?: boolean;
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -180,4 +180,26 @@ describe('ResponseHeadersPolicy', () => {
},
});
});

test('it respects CSP `reportOnly` flag by mapping to custom header', () => {
new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
securityHeadersBehavior: {
contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true, reportOnly: true },
},
});

Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::ResponseHeadersPolicy', {
ResponseHeadersPolicyConfig: {
CustomHeadersConfig: {
Items: [
{
Header: 'Content-Security-Policy-Report-Only',
Value: 'default-src https:;',
Override: true,
},
]
},
},
});
})
});

0 comments on commit f47fe50

Please sign in to comment.