Skip to content

Add X-Xss-Protection headerValue to XML config #11936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add X-Xss-Protection headerValue to XML config #11936

wants to merge 1 commit into from

Conversation

Kehrlann
Copy link
Contributor

@Kehrlann Kehrlann commented Oct 3, 2022

See gh-11908

@Kehrlann Kehrlann changed the base branch from main to 5.8.x October 3, 2022 13:47
@Kehrlann Kehrlann force-pushed the x-xss-protection-xml-config branch from 0370978 to c756756 Compare October 3, 2022 13:48
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 3, 2022
@Kehrlann Kehrlann force-pushed the x-xss-protection-xml-config branch from c756756 to b1a4186 Compare October 3, 2022 13:59
sjohnr
sjohnr requested changes Oct 3, 2022
View reviewed changes
Copy link
Member

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Kehrlann! See inline comment below.

config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc Outdated
@@ -1298,6 +1298,9 @@ xss-protection.attlist &=
xss-protection.attlist &=
## Add mode=block to the header or not, default is on.
attribute block {xsd:boolean}?
xss-protection.attlist &=
## Specify the value for the X-Xss-Protection header. When set, overrides both enabled and block attributes.
attribute header-value {"0","1","1\;mode=block"}?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My IDE (IntelliJ) complains about this line, with

group of "string" or "data" element

Is this the correct change to make?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks!

Changed to "0" | "1" | "1; mode=block", it generates a very similar XSD but IntelliJ doesn't complain.

Note, I am no RELAX NG expert. I "made it work" but I don't really understand how...

@Kehrlann Kehrlann force-pushed the x-xss-protection-xml-config branch from b1a4186 to 8ca88d1 Compare October 3, 2022 18:45
@sjohnr
Copy link
Member

sjohnr commented Oct 3, 2022

Merged via 0e215a2. I regenerated the 5.8 xsd, as it was out of sync, and added c98de7a in 6.0 for the rnc/xsd after the merge.

@sjohnr sjohnr closed this Oct 3, 2022
@sjohnr sjohnr added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 3, 2022
@sjohnr sjohnr added this to the 5.8.0-RC1 milestone Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjohnr sjohnr sjohnr requested changes

Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.0-RC1
Development

Successfully merging this pull request may close these issues.
3 participants
@Kehrlann @sjohnr @spring-projects-issues