Support configuring nonce-based Content-Security-Policy

This commit adds support for configuring nonce-based CSP with
Java lambda or Kotlin DSL.

By default, Spring Security adds protection headers for all served
resources. This was not a problem in the past because header values
were static. However, with the introduction of a dynamic nonce in
the CSP, the caching property of static asserts served may change.
With this in mind, this commit also adds convenient methods to set
a request matcher to determine whether a request requires CSP
protection or not.

Closes gh-10826

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>

Author: ziqin

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -18,23 +18,29 @@
 
 import java.net.URI;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Function;
 
 import jakarta.servlet.http.HttpServletRequest;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.header.HeaderWriterFilter;
+import org.springframework.security.web.header.NonceGeneratingFilter;
 import org.springframework.security.web.header.writers.CacheControlHeadersWriter;
 import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
 import org.springframework.security.web.header.writers.CrossOriginEmbedderPolicyHeaderWriter;
 import org.springframework.security.web.header.writers.CrossOriginOpenerPolicyHeaderWriter;
 import org.springframework.security.web.header.writers.CrossOriginResourcePolicyHeaderWriter;
+import org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter;
 import org.springframework.security.web.header.writers.FeaturePolicyHeaderWriter;
 import org.springframework.security.web.header.writers.HpkpHeaderWriter;
 import org.springframework.security.web.header.writers.HstsHeaderWriter;
@@ -45,6 +51,8 @@
 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -273,6 +281,14 @@ public HeadersConfigurer<H> defaultsDisabled() {
 	public void configure(H http) {
 		HeaderWriterFilter headersFilter = createHeaderWriterFilter();
 		http.addFilter(headersFilter);
+		configureCspNonceGeneratingFilter(http);
+	}
+
+	private void configureCspNonceGeneratingFilter(H http) {
+		ContentSecurityPolicyHeaderWriter writer = this.contentSecurityPolicy.writer;
+		if (writer != null && writer.isNonceBased()) {
+			http.addFilterBefore(new NonceGeneratingFilter(writer.getNonceAttributeName()), HeaderWriterFilter.class);
+		}
 	}
 
 	/**
@@ -302,7 +318,7 @@ private List<HeaderWriter> getHeaderWriters() {
 		addIfNotNull(writers, this.hsts.writer);
 		addIfNotNull(writers, this.frameOptions.writer);
 		addIfNotNull(writers, this.hpkp.writer);
-		addIfNotNull(writers, this.contentSecurityPolicy.writer);
+		addIfNotNull(writers, this.contentSecurityPolicy.getWriter());
 		addIfNotNull(writers, this.referrerPolicy.writer);
 		addIfNotNull(writers, this.featurePolicy.writer);
 		addIfNotNull(writers, this.permissionsPolicy.writer);
@@ -937,11 +953,15 @@ public final class ContentSecurityPolicyConfig {
 
 		private ContentSecurityPolicyHeaderWriter writer;
 
+		private @Nullable RequestMatcher requestMatcher;
+
 		private ContentSecurityPolicyConfig() {
 		}
 
 		/**
-		 * Sets the security policy directive(s) to be used in the response header.
+		 * Sets the security policy directive(s) to be used in the response header. The
+		 * {@code policyDirectives} may contain {@code {nonce}} as placeholders for a
+		 * generated secure random nonce, e.g., {@code script-src 'self' 'nonce-{nonce}'}.
 		 * @param policyDirectives the security policy directive(s)
 		 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
 		 * @throws IllegalArgumentException if policyDirectives is null or empty
@@ -961,6 +981,70 @@ public ContentSecurityPolicyConfig reportOnly() {
 			return this;
 		}
 
+		/**
+		 * Sets the name of the servlet request attribute for the generated nonce. Views
+		 * can read this attribute to render the nonce in HTML.
+		 * @param nonceAttributeName the name of the nonce attribute
+		 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
+		 * @throws IllegalArgumentException if {@code nonceAttributeName} is {@code null}
+		 * or empty
+		 * @since 7.1
+		 */
+		public ContentSecurityPolicyConfig nonceAttributeName(String nonceAttributeName) {
+			this.writer.setNonceAttributeName(nonceAttributeName);
+			return this;
+		}
+
+		/**
+		 * Specifies the {@link RequestMatcher} to use for determining when CSP should be
+		 * applied. The default is to enable CSP in every response if
+		 * {@link HeadersConfigurer#contentSecurityPolicy(Customizer)} is configured.
+		 * @param requestMatcher the {@link RequestMatcher} to use
+		 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
+		 * @throws IllegalArgumentException if {@code requestMatcher} is null
+		 * @throws IllegalStateException if a {@link RequestMatcher} is already configured
+		 * by a previous call of this method or {@link #requireCspMatchers(String...)}
+		 * @since 7.1
+		 * @see #requireCspMatchers(String...)
+		 */
+		public ContentSecurityPolicyConfig requireCspMatcher(RequestMatcher requestMatcher) {
+			Assert.notNull(requestMatcher, "RequestMatcher cannot be null");
+			Assert.state(this.requestMatcher == null, "RequireCspMatcher(s) is already configured");
+			this.requestMatcher = requestMatcher;
+			return this;
+		}
+
+		/**
+		 * Specifies the matching path patterns for determining when CSP should be
+		 * applied. The default is to enable CSP in every response if
+		 * {@link HeadersConfigurer#contentSecurityPolicy(Customizer)} is configured.
+		 * @param pathPatterns the path patterns to be matched with a
+		 * {@link PathPatternRequestMatcher}
+		 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
+		 * @throws IllegalArgumentException if any path pattern if rejected by
+		 * {@link PathPatternRequestMatcher.Builder#matcher(String)}
+		 * @throws IllegalStateException if a {@link RequestMatcher} is already configured
+		 * by a previous call of this method or {@link #requireCspMatcher(RequestMatcher)}
+		 * @since 7.1
+		 * @see #requireCspMatcher(RequestMatcher)
+		 */
+		public ContentSecurityPolicyConfig requireCspMatchers(String... pathPatterns) {
+			PathPatternRequestMatcher.Builder builder = HeadersConfigurer.this.getRequestMatcherBuilder();
+			// @formatter:off
+			return this.requireCspMatcher(new OrRequestMatcher(
+				Arrays.stream(pathPatterns)
+					.map((Function<? super String, RequestMatcher>) builder::matcher)
+					.toList()));
+			// @formatter:on
+		}
+
+		HeaderWriter getWriter() {
+			if (this.requestMatcher != null) {
+				return new DelegatingRequestMatcherHeaderWriter(this.requestMatcher, this.writer);
+			}
+			return this.writer;
+		}
+
 	}
 
 	public final class ReferrerPolicyConfig {

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -193,10 +193,12 @@
 import org.springframework.security.web.server.header.CrossOriginResourcePolicyServerHttpHeadersWriter.CrossOriginResourcePolicy;
 import org.springframework.security.web.server.header.FeaturePolicyServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.HttpHeaderWriterWebFilter;
+import org.springframework.security.web.server.header.NonceGeneratingWebFilter;
 import org.springframework.security.web.server.header.PermissionsPolicyServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy;
 import org.springframework.security.web.server.header.ServerHttpHeadersWriter;
+import org.springframework.security.web.server.header.ServerWebExchangeDelegatingServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.StrictTransportSecurityServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter;
 import org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter;
@@ -2560,6 +2562,10 @@ protected void configure(ServerHttpSecurity http) {
 			ServerHttpHeadersWriter writer = new CompositeServerHttpHeadersWriter(this.writers);
 			HttpHeaderWriterWebFilter result = new HttpHeaderWriterWebFilter(writer);
 			http.addFilterAt(result, SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
+			if (this.contentSecurityPolicy.isNonceBased()) {
+				http.addFilterBefore(new NonceGeneratingWebFilter(this.contentSecurityPolicy.getNonceAttributeName()),
+						SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
+			}
 		}
 
 		/**
@@ -2854,6 +2860,9 @@ public ContentSecurityPolicySpec reportOnly(boolean reportOnly) {
 
 			/**
 			 * Sets the security policy directive(s) to be used in the response header.
+			 * The {@code policyDirectives} may contain {@code {nonce}} as placeholders
+			 * for a generated secure random nonce, e.g., {@code script-src 'self'
+			 * 'nonce-{nonce}'}.
 			 * @param policyDirectives the security policy directive(s)
 			 * @return the {@link ContentSecurityPolicySpec} to continue configuring
 			 */
@@ -2862,6 +2871,63 @@ public ContentSecurityPolicySpec policyDirectives(String policyDirectives) {
 				return this;
 			}
 
+			/**
+			 * Sets the name of the {@link ServerWebExchange#getAttribute(String) request
+			 * attribute} for the generated nonce. Views can read this attribute to render
+			 * the nonce in HTML.
+			 * @param nonceAttributeName the name of the nonce attribute
+			 * @return the {@link ContentSecurityPolicySpec} to continue configuring
+			 * @throws IllegalArgumentException if {@code nonceAttributeName} is
+			 * {@code null} or empty
+			 * @since 7.1
+			 */
+			public ContentSecurityPolicySpec nonceAttributeName(String nonceAttributeName) {
+				HeaderSpec.this.contentSecurityPolicy.setNonceAttributeName(nonceAttributeName);
+				return this;
+			}
+
+			/**
+			 * Specifies the {@link ServerWebExchangeMatcher} to use for determining when
+			 * CSP should be applied. The default is to enable CSP in every response if
+			 * {@link HeaderSpec#contentSecurityPolicy(Customizer)} is configured.
+			 * @param matcher the {@link ServerWebExchangeMatcher} to use
+			 * @return the {@link ContentSecurityPolicySpec} to continue configuring
+			 * @throws IllegalArgumentException if {@code matcher} is {@code null}
+			 * @throws IllegalStateException if a {@link ServerWebExchangeMatcher} is
+			 * already configured by a previous call of this method or
+			 * {@link #requireCspMatchers(String...)}
+			 * @since 7.1
+			 * @see #requireCspMatchers(String...)
+			 */
+			public ContentSecurityPolicySpec requireCspMatcher(ServerWebExchangeMatcher matcher) {
+				Assert.notNull(matcher, "Matcher must not be null");
+				// Replace the CSP writer in the list with a matcher-decorated writer
+				int idx = HeaderSpec.this.writers.indexOf(HeaderSpec.this.contentSecurityPolicy);
+				Assert.state(idx >= 0, "RequireCspMatcher(s) is already configured");
+				HeaderSpec.this.writers.set(idx, new ServerWebExchangeDelegatingServerHttpHeadersWriter(matcher,
+						HeaderSpec.this.contentSecurityPolicy));
+				return this;
+			}
+
+			/**
+			 * Specifies the matching path patterns for determining when CSP should be
+			 * applied. The default is to enable CSP in every response if
+			 * {@link HeaderSpec#contentSecurityPolicy(Customizer)} is configured.
+			 * @param pathPatterns the path patterns to be matched with a
+			 * {@link PathPatternParserServerWebExchangeMatcher}
+			 * @return the {@link ContentSecurityPolicySpec} to continue configuring
+			 * @throws IllegalArgumentException if any path pattern is rejected by
+			 * {@link PathPatternParserServerWebExchangeMatcher}
+			 * @throws IllegalStateException if a {@link ServerWebExchangeMatcher} is
+			 * already configured by a previous call of this method or
+			 * {@link #requireCspMatcher(ServerWebExchangeMatcher)}
+			 * @since 7.1
+			 * @see #requireCspMatcher(ServerWebExchangeMatcher)
+			 */
+			public ContentSecurityPolicySpec requireCspMatchers(String... pathPatterns) {
+				return this.requireCspMatcher(ServerWebExchangeMatchers.pathMatchers(pathPatterns));
+			}
+
 			private ContentSecurityPolicySpec(String policyDirectives) {
 				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(policyDirectives);
 			}

config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/ContentSecurityPolicyDsl.kt

@@ -18,21 +18,63 @@ package org.springframework.security.config.annotation.web.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.web.util.matcher.RequestMatcher
 
 /**
  * A Kotlin DSL to configure the [HttpSecurity] Content-Security-Policy header using
  * idiomatic Kotlin code.
  *
  * @author Eleftheria Stein
+ * @author Ziqin Wang
  * @since 5.3
- * @property policyDirectives the security policy directive(s) to be used in the response header.
- * @property reportOnly includes the Content-Security-Policy-Report-Only header in the response.
  */
 @HeadersSecurityMarker
 class ContentSecurityPolicyDsl {
+    /**
+     * The security policy directive(s) to be used in the response header.
+     * The [policyDirectives] may contain `{code}` as placeholders for a generated secure
+     * random nonce, e.g., `script-src 'self' 'nonce-{nonce}'`.
+     */
     var policyDirectives: String? = null
+
+    /** Includes the `Content-Security-Policy-Report-Only` header in the response. */
     var reportOnly: Boolean? = null
 
+    /**
+     * The name of the servlet request attribute for the generated nonce. Views can read
+     * this attribute to render the nonce in HTML.
+     * @since 7.1
+     */
+    var nonceAttributeName: String? = null
+
+    /**
+     * The [RequestMatcher] to use for determining when CSP should be applied.
+     * The default is to enable CSP in every response if
+     * [org.springframework.security.config.annotation.web.HeadersDsl.contentSecurityPolicy]
+     * is configured.
+     * You can configure either this property or [requireCspMatchers], but not both.
+     * @since 7.1
+     * @see requireCspMatchers
+     */
+    var requireCspMatcher: RequestMatcher? = null
+
+    private var requireCspPathPatterns: Array<out String>? = null
+
+    /**
+     * Specify the matching path patterns for determining when CSP should be applied.
+     * The default is to write CSP header in every response if
+     * [org.springframework.security.config.annotation.web.HeadersDsl.contentSecurityPolicy]
+     * is configured.
+     * You can configure either this method or [requireCspMatcher], but not both.
+     * @param pathPatterns the path patterns to be matched with a
+     * [org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher]
+     * @since 7.1
+     * @see requireCspMatcher
+     */
+    fun requireCspMatchers(vararg pathPatterns: String) {
+        requireCspPathPatterns = pathPatterns
+    }
+
     internal fun get(): (HeadersConfigurer<HttpSecurity>.ContentSecurityPolicyConfig) -> Unit {
         return { contentSecurityPolicy ->
             policyDirectives?.also {
@@ -43,6 +85,9 @@ class ContentSecurityPolicyDsl {
                     contentSecurityPolicy.reportOnly()
                 }
             }
+            nonceAttributeName?.also(contentSecurityPolicy::nonceAttributeName)
+            requireCspMatcher?.also(contentSecurityPolicy::requireCspMatcher)
+            requireCspPathPatterns?.also(contentSecurityPolicy::requireCspMatchers)
         }
     }
 }

config/src/main/kotlin/org/springframework/security/config/web/server/ServerContentSecurityPolicyDsl.kt

@@ -16,18 +16,61 @@
 
 package org.springframework.security.config.web.server
 
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
+
 /**
  * A Kotlin DSL to configure the [ServerHttpSecurity] Content-Security-Policy header using
  * idiomatic Kotlin code.
  *
  * @author Eleftheria Stein
+ * @author Ziqin Wang
  * @since 5.4
  */
 @ServerSecurityMarker
 class ServerContentSecurityPolicyDsl {
+    /**
+     * The security policy directive(s) to be used in the response header.
+     * The `policyDirectives` may contain `{nonce}` as placeholders for a generated
+     * secure random nonce, e.g., `script-src 'self' 'nonce-{nonce}'`.
+     */
     var policyDirectives: String? = null
+
+    /** Includes the `Content-Security-Policy-Report-Only` header in the response. */
     var reportOnly: Boolean? = null
 
+    /**
+     * The name of the request attribute for the generated nonce. Views can read this
+     * attribute to render the nonce in HTML.
+     * @since 7.1
+     */
+    var nonceAttributeName: String? = null
+
+    /**
+     * The [ServerWebExchangeMatcher] to use for determining when CSP should be applied.
+     * The default is to enable CSP in every response if [ServerHeadersDsl.contentSecurityPolicy]
+     * is configured.
+     * You can configure either this property or [requireCspMatchers], but not both.
+     * @since 7.1
+     * @see requireCspMatchers
+     */
+    var requireCspMatcher: ServerWebExchangeMatcher? = null
+
+    private var requireCspPathPatterns: Array<out String>? = null
+
+    /**
+     * Specify the matching path patterns for determining when CSP should be applied.
+     * The default is to enable CSP in every response if [ServerHeadersDsl.contentSecurityPolicy]
+     * is configured.
+     * You can configure either this method or [requireCspMatcher], but not both.
+     * @param pathPatterns the path patterns to be matched with a
+     * [org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher]
+     * @since 7.1
+     * @see requireCspMatcher
+     */
+    fun requireCspMatchers(vararg pathPatterns: String) {
+        requireCspPathPatterns = pathPatterns
+    }
+
     internal fun get(): (ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec) -> Unit {
         return { contentSecurityPolicy ->
             policyDirectives?.also {
@@ -36,6 +79,9 @@ class ServerContentSecurityPolicyDsl {
             reportOnly?.also {
                 contentSecurityPolicy.reportOnly(reportOnly!!)
             }
+            nonceAttributeName?.also(contentSecurityPolicy::nonceAttributeName)
+            requireCspMatcher?.also(contentSecurityPolicy::requireCspMatcher)
+            requireCspPathPatterns?.also(contentSecurityPolicy::requireCspMatchers)
         }
     }
 }