Do simple XSS Header protection.

[gigi.git] / src / org / cacert / gigi / Gigi.java

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 754fe3a0603ac6f07adbcf53de1255353d12b115..551c9be051175e25378eb0735788d7c42c534a72 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -61,7 +61,7 @@ public class Gigi extends HttpServlet {
                                new FileInputStream(new File("templates/base.html"))))) {
                        String tmp;
                        while ((tmp = reader.readLine()) != null) {
-                               templ += tmp;
+                               templ += tmp + "\n";
                        }
                        baseTemplate = templ.split("\\$content\\$");
                } catch (Exception e) {
@@ -73,6 +73,11 @@ public class Gigi extends HttpServlet {
        @Override
        protected void service(HttpServletRequest req, HttpServletResponse resp)
                        throws ServletException, IOException {
+               addXSSHeaders(resp);
+               if (req.getHeader("Origin") != null) {
+                       resp.getWriter().println("No cross domain access allowed.");
+                       return;
+               }
                HttpSession hs = req.getSession();
                if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
                        if (hs != null) {
@@ -142,5 +147,12 @@ public class Gigi extends HttpServlet {
                in = in.replaceAll("\\$year\\$", year + "");
                return in;
        }
+       public static void addXSSHeaders(HttpServletResponse hsr) {
+               hsr.addHeader("Access-Control-Allow-Origin",
+                               "http://cacert.org https://localhost");
+               hsr.addHeader("Access-Control-Max-Age", "60");
+               // hsr.addHeader("Content-Security-Policy",
+               // "default-src 'self'; report-uri https://felix.dogcraft.de/report.php");
 
+       }
 }