Do simple XSS Header protection.

[gigi.git] / src / org / cacert / gigi / Gigi.java
diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java

index 85d17ea03b2ab2deabc97cb94c3a9082cce93add..551c9be051175e25378eb0735788d7c42c534a72 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -48,7 +48,7 @@ public class Gigi extends HttpServlet {
                 pages.put("/", new MainPage("CACert - Home"));
                 pages.put("/secure", new TestSecure());
                 pages.put(Verify.PATH, new Verify());
-               pages.put(AssurePage.PATH, new AssurePage());
+               pages.put(AssurePage.PATH + "/*", new AssurePage());
                 pages.put(MailCertificates.PATH, new MailCertificates());
                 pages.put(MyDetails.PATH, new MyDetails());
                 pages.put(RegisterPage.PATH, new RegisterPage());
@@ -61,7 +61,7 @@ public class Gigi extends HttpServlet {
                                 new FileInputStream(new File("templates/base.html"))))) {
                         String tmp;
                         while ((tmp = reader.readLine()) != null) {
-                               templ += tmp;
+                               templ += tmp + "\n";
                         }
                         baseTemplate = templ.split("\\$content\\$");
                 } catch (Exception e) {
@@ -73,6 +73,11 @@ public class Gigi extends HttpServlet {
         @Override
         protected void service(HttpServletRequest req, HttpServletResponse resp)
                         throws ServletException, IOException {
+               addXSSHeaders(resp);
+               if (req.getHeader("Origin") != null) {
+                       resp.getWriter().println("No cross domain access allowed.");
+                       return;
+               }
                 HttpSession hs = req.getSession();
                 if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
                         if (hs != null) {
@@ -115,7 +120,9 @@ public class Gigi extends HttpServlet {
  
         }
         private Page getPage(String pathInfo) {
-
+               if (pathInfo.endsWith("/") && !pathInfo.equals("/")) {
+                       pathInfo = pathInfo.substring(0, pathInfo.length() - 1);
+               }
                 Page page = pages.get(pathInfo);
                 if (page != null) {
                         return page;
@@ -140,5 +147,12 @@ public class Gigi extends HttpServlet {
                 in = in.replaceAll("\\$year\\$", year + "");
                 return in;
         }
+       public static void addXSSHeaders(HttpServletResponse hsr) {
+               hsr.addHeader("Access-Control-Allow-Origin",
+                               "http://cacert.org https://localhost");
+               hsr.addHeader("Access-Control-Max-Age", "60");
+               // hsr.addHeader("Content-Security-Policy",
+               // "default-src 'self'; report-uri https://felix.dogcraft.de/report.php");
  
+       }
  }