- csp.append("default-src 'none';");
- csp.append("font-src https://" + ServerConstants.getStaticHostNamePort());
- csp.append(";img-src https://" + ServerConstants.getStaticHostNamePort());
- csp.append(";media-src 'none'; object-src 'none';");
- csp.append("script-src https://" + ServerConstants.getStaticHostNamePort());
- csp.append(";style-src https://" + ServerConstants.getStaticHostNamePort());
+ csp.append("default-src 'none'");
+ csp.append(";font-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";img-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";media-src 'none'; object-src 'none'");
+ csp.append(";script-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";style-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://" + ServerConstants.getWwwHostNamePortSecure());
+ csp.append(";report-url https://api.cacert.org/security/csp/report");
+ httpsCSP = csp.toString();
+ }
+ return httpsCSP;
+ }
+
+ private static String getHttpCSP() {
+ if (httpCSP == null) {
+ StringBuffer csp = new StringBuffer();
+ csp.append("default-src 'none'");
+ csp.append(";font-src http://" + ServerConstants.getStaticHostNamePort());
+ csp.append(";img-src http://" + ServerConstants.getStaticHostNamePort());
+ csp.append(";media-src 'none'; object-src 'none'");
+ csp.append(";script-src http://" + ServerConstants.getStaticHostNamePort());
+ csp.append(";style-src http://" + ServerConstants.getStaticHostNamePort());