51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
43 lines
1.1 KiB
Plaintext
43 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In a Spring security application, the code is sensitive if https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method] is not used or used without the default directive:
|
|
|
|
----
|
|
http
|
|
// ...
|
|
.and()
|
|
.headers()
|
|
.contentSecurityPolicy("script-src 'self' https://example.com"); // Sensitive: default-src directive is missing
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In a Spring security application, starting version 4.1, a standard way to implement CSP is with https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp-configure[contentSecurityPolicy method]:
|
|
|
|
[source,java]
|
|
----
|
|
http
|
|
// ...
|
|
.and()
|
|
.headers()
|
|
.contentSecurityPolicy("default-src 'self' https://example.com"); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|