Add security related headers for static resources

Add the following security headers to static resources, including `html`, `js`, and `css` files. - Add `X-Content-Type-Options` header and assign the value to 'nosniff' - Add `Content-Security-Policy` header and proper values - default-src: 'self' - style-src: 'self' 'unsafe-inline' https://fonts.googleapis.com - font-src: self fonts.gstatic.com - frame-ancestors: self Signed-off-by: Yihong Wang <yh.wang@ibm.com>
prestodb · Jan 7, 2025 · b230be1 · b230be1
1 parent 9abf6c0
commit b230be1
Show file tree

Hide file tree

Showing 16 changed files with 583 additions and 23 deletions.
diff --git a/pom.xml b/pom.xml
@@ -44,7 +44,7 @@
         <air.maven.version>3.3.9</air.maven.version>
 
         <dep.antlr.version>4.7.1</dep.antlr.version>
-        <dep.airlift.version>0.215</dep.airlift.version>
+        <dep.airlift.version>0.216</dep.airlift.version>
         <dep.packaging.version>${dep.airlift.version}</dep.packaging.version>
         <dep.slice.version>0.38</dep.slice.version>
         <dep.testing-mysql-server-5.version>0.6</dep.testing-mysql-server-5.version>

diff --git a/presto-main/src/main/java/com/facebook/presto/server/CoordinatorModule.java b/presto-main/src/main/java/com/facebook/presto/server/CoordinatorModule.java
@@ -95,6 +95,7 @@
 import com.facebook.presto.transaction.TransactionManagerConfig;
 import com.facebook.presto.util.PrestoDataDefBindingHelper;
 import com.google.common.collect.ImmutableList;
+import com.google.common.net.HttpHeaders;
 import com.google.inject.Binder;
 import com.google.inject.Provides;
 import com.google.inject.Scopes;
@@ -141,8 +142,12 @@ public class CoordinatorModule
     @Override
     protected void setup(Binder binder)
     {
-        httpServerBinder(binder).bindResource("/ui", "webapp").withWelcomeFile("index.html");
-        httpServerBinder(binder).bindResource("/tableau", "webapp/tableau");
+        httpServerBinder(binder).bindResource("/ui", "webapp").withWelcomeFile("index.html")
+                .withExtraHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff")
+                .withExtraHeader(HttpHeaders.CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'");
+        httpServerBinder(binder).bindResource("/tableau", "webapp/tableau")
+                .withExtraHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff")
+                .withExtraHeader(HttpHeaders.CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'");
 
         // discovery server
         install(installModuleIf(EmbeddedDiscoveryConfig.class, EmbeddedDiscoveryConfig::isEnabled, new EmbeddedDiscoveryModule()));

diff --git a/presto-ui/src/static/dev/index.html b/presto-ui/src/static/dev/index.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="../vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="../vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/embedded_plan.html b/presto-ui/src/static/embedded_plan.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/index.html b/presto-ui/src/static/index.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/plan.html b/presto-ui/src/static/plan.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/query.html b/presto-ui/src/static/query.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/res_groups.html b/presto-ui/src/static/res_groups.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/sql_client.html b/presto-ui/src/static/sql_client.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/stage.html b/presto-ui/src/static/stage.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->

diff --git a/presto-ui/src/static/timeline.html b/presto-ui/src/static/timeline.html
@@ -14,8 +14,8 @@
 
     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
     <!--[if lt IE 9]>
-    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
-    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <script src="vendor/html5shiv/html5shiv.min.js"></script>
+    <script src="vendor/respond/respond.min.js"></script>
     <![endif]-->
 
     <!-- jQuery -->