Support nonce-based Content-Security-Policy

When strict Content Security Policy is used, web browsers block inline
<script> or <style> blocks in HTML to mitigate XSS attacks injecting
malicious inline blocks. To allow intended inline blocks, web developers
can generate a hard-to-guess nonce and specify it in both the CSP and
allowed inline blocks.

Currently, Spring Security only supports specifying static content
security policy directives. This commit adds support to dynamically
generate a secure random nonce for CSP:

- NonceGeneratingFilter & NonceGeneratingWebFilter are added to
  generate a nonce and set it as a request attribute,
- ContentSecurityPolicyHeaderWriter &
  ContentSecurityPolicyServerHttpHeadersWriter are modified to read
  the _csp_nonce attribute and write it to the Content-Security-Policy
  header, replacing the {nonce} placeholder in the given
  policyDirectives string.

The whole process is separated in two steps because by default a header
writer cannot set a request attribute visible to views for rendering the
nonce in HTML.

`_csp_nonce` is chosen as the default attribute name because it has a
similar format with the existing `_csrf` attribute. The attribute name
is configurable.

This commit implements gh-10826.

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>

Author: ziqin

web/src/main/java/org/springframework/security/web/header/NonceGeneratingFilter.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.header;
+
+import java.io.IOException;
+import java.util.Base64;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
+import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * A filter which generates a nonce string and sets it as a request attribute.
+ *
+ * <p>
+ * {@link org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter}
+ * can use the attribute to write a nonce-based Content Security Policy header, and a view
+ * technology can render the nonce in generated HTML to allow intended inline
+ * {@code <script>} or {@code <style>} blocks.
+ *
+ * <p>
+ * This filter may be used to generate a nonce attribute for other purposes.
+ *
+ * @author Ziqin Wang
+ * @since 7.1
+ */
+public final class NonceGeneratingFilter extends OncePerRequestFilter {
+
+	private final String attributeName;
+
+	private final StringKeyGenerator nonceGenerator;
+
+	/**
+	 * Creates a new instance.
+	 * @param attributeName the name of the request attribute to generate
+	 * @param nonceGenerator a {@link StringKeyGenerator} for generating nonce
+	 * @throws IllegalArgumentException if {@code attributeName} is null or empty string,
+	 * or {@code nonceGenerator} is null
+	 */
+	public NonceGeneratingFilter(String attributeName, StringKeyGenerator nonceGenerator) {
+		Assert.hasLength(attributeName, "AttributeName must not be null or empty");
+		Assert.notNull(nonceGenerator, "NonceGenerator must not be null");
+		this.attributeName = attributeName;
+		this.nonceGenerator = nonceGenerator;
+	}
+
+	/**
+	 * Creates a new instance.
+	 * <p>
+	 * For each request, the created filter will generate a secure random nonce value with
+	 * 128-bit entropy and encode it as a Base64 string without padding.
+	 * @param attributeName the name of the request attribute to generate
+	 * @throws IllegalArgumentException if {@code attributeName} is null or empty string
+	 */
+	public NonceGeneratingFilter(String attributeName) {
+		this(attributeName, new Base64StringKeyGenerator(Base64.getEncoder().withoutPadding(), 16));
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+		String nonce = this.nonceGenerator.generateKey();
+		request.setAttribute(this.attributeName, nonce);
+		filterChain.doFilter(request, response);
+	}
+
+}

web/src/main/java/org/springframework/security/web/header/writers/ContentSecurityPolicyHeaderWriter.java

@@ -55,6 +55,30 @@
  * </p>
  *
  * <p>
+ * With related directives specified, web clients could block inline {@code <script>} or
+ * {@code <style>} blocks in the HTML to mitigate XSS attacks injecting malicious inline
+ * blocks. To allow intended inline blocks, a CSP directive (usually {@code script-src} or
+ * {@code style-src}) may specify a hard-to-guess nonce matching the nonce attributes of
+ * inline HTML blocks.
+ * </p>
+ *
+ * <p>
+ * To ease writing nonce-based CSP headers, this class replaces the {@code {nonce}}
+ * placeholder in the {@code policyDirectives} with a real nonce value read from a servlet
+ * request attribute named {@code _csp_nonce} (or another configured attribute name). A
+ * {@link org.springframework.security.web.header.NonceGeneratingFilter} can be configured
+ * to generate a unique secure random {@code _csp_nonce} attribute for each request.
+ * </p>
+ *
+ * <p>
+ * For example, if the configured {@code policyDirectives} is {@code script-src 'self'
+ * 'nonce-{nonce}'}, and a
+ * {@link org.springframework.security.web.header.NonceGeneratingFilter} has set the
+ * {@code _csp_nonce} attribute to {@code "Nc3n83cnSAd3wc3Sasdfn9"}, then the written HTTP
+ * header value would be {@code script-src 'self' 'nonce-Nc3n83cnSAd3wc3Sasdfn9'}.
+ * </p>
+ *
+ * <p>
  * This implementation of {@link HeaderWriter} writes one of the following headers:
  * </p>
  * <ul>
@@ -79,20 +103,30 @@
  *
  * @author Joe Grandja
  * @author Ankur Pathak
+ * @author Ziqin Wang
  * @since 4.1
+ * @see org.springframework.security.web.header.NonceGeneratingFilter
  */
 public final class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 
-	private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
+	public static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
 
-	private static final String CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER = "Content-Security-Policy-Report-Only";
+	public static final String CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER = "Content-Security-Policy-Report-Only";
 
 	private static final String DEFAULT_SRC_SELF_POLICY = "default-src 'self'";
 
+	public static final String DEFAULT_NONCE_ATTRIBUTE_NAME = "_csp_nonce";
+
+	public static final String NONCE_PLACEHOLDER = "{nonce}";
+
 	private String policyDirectives;
 
 	private boolean reportOnly;
 
+	private boolean isNonceBased;
+
+	private String nonceAttributeName = DEFAULT_NONCE_ATTRIBUTE_NAME;
+
 	/**
 	 * Creates a new instance. Default value: default-src 'self'
 	 */
@@ -120,18 +154,30 @@ public void writeHeaders(HttpServletRequest request, HttpServletResponse respons
 		String headerName = (!this.reportOnly) ? CONTENT_SECURITY_POLICY_HEADER
 				: CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER;
 		if (!response.containsHeader(headerName)) {
-			response.setHeader(headerName, this.policyDirectives);
+			String csp;
+			if (this.isNonceBased) {
+				String nonce = (String) request.getAttribute(this.nonceAttributeName);
+				Assert.state(nonce != null, "Nonce is unset");
+				csp = this.policyDirectives.replace(NONCE_PLACEHOLDER, nonce);
+			}
+			else {
+				csp = this.policyDirectives;
+			}
+			response.setHeader(headerName, csp);
 		}
 	}
 
 	/**
-	 * Sets the security policy directive(s) to be used in the response header.
+	 * Sets the security policy directive(s) to be used in the response header. The
+	 * {@code policyDirectives} may contain {@code {nonce}} as placeholders to be
+	 * replaced.
 	 * @param policyDirectives the security policy directive(s)
 	 * @throws IllegalArgumentException if policyDirectives is null or empty
 	 */
 	public void setPolicyDirectives(String policyDirectives) {
 		Assert.hasLength(policyDirectives, "policyDirectives cannot be null or empty");
 		this.policyDirectives = policyDirectives;
+		this.isNonceBased = policyDirectives.contains(NONCE_PLACEHOLDER);
 	}
 
 	/**
@@ -143,10 +189,44 @@ public void setReportOnly(boolean reportOnly) {
 		this.reportOnly = reportOnly;
 	}
 
+	/**
+	 * Sets the name of the servlet request attribute from which the nonce value is taken.
+	 * Defaults to {@code _csp_nonce} if unset.
+	 * @param nonceAttributeName the name of the nonce attribute
+	 * @throws IllegalArgumentException if {@code nonceAttributeName} is {@code null} or
+	 * empty
+	 * @since 7.1
+	 */
+	public void setNonceAttributeName(String nonceAttributeName) {
+		Assert.hasLength(nonceAttributeName, "nonceAttributeName cannot be null or empty");
+		this.nonceAttributeName = nonceAttributeName;
+	}
+
+	/**
+	 * Returns the name of the servlet request attribute from which the nonce value is
+	 * taken. Defaults to {@code _csp_nonce} if unset.
+	 * @return the name of the nonce attribute.
+	 * @since 7.1
+	 */
+	public String getNonceAttributeName() {
+		return this.nonceAttributeName;
+	}
+
+	/**
+	 * Returns whether the content security policy is nonce-based. The CSP is considered
+	 * nonce-based if the configured {@code policyDirectives} string contains a
+	 * {@code {nonce}} placeholder.
+	 * @return whether the content security policy is nonce-based
+	 * @since 7.1
+	 */
+	public boolean isNonceBased() {
+		return this.isNonceBased;
+	}
+
 	@Override
 	public String toString() {
 		return getClass().getName() + " [policyDirectives=" + this.policyDirectives + "; reportOnly=" + this.reportOnly
-				+ "]";
+				+ "; isNonceBased=" + this.isNonceBased + "; nonceAttributeName=" + this.nonceAttributeName + "]";
 	}
 
 }

web/src/main/java/org/springframework/security/web/server/header/ContentSecurityPolicyServerHttpHeadersWriter.java

@@ -16,18 +16,44 @@
 
 package org.springframework.security.web.server.header;
 
+import java.util.List;
+
 import org.jspecify.annotations.Nullable;
 import reactor.core.publisher.Mono;
 
-import org.springframework.security.web.server.header.StaticServerHttpHeadersWriter.Builder;
+import org.springframework.http.HttpHeaders;
 import org.springframework.util.Assert;
 import org.springframework.web.server.ServerWebExchange;
 
 /**
  * Writes the {@code Content-Security-Policy} response header with configured policy
  * directives.
  *
+ * <p>
+ * With related directives specified, web clients could block inline {@code <script>} or
+ * {@code <style>} blocks in the HTML to mitigate XSS attacks injecting malicious inline
+ * blocks. To allow intended inline blocks, a CSP directive (usually {@code script-src} or
+ * {@code style-src}) may specify a hard-to-guess nonce matching the nonce attributes of
+ * inline HTML blocks.
+ *
+ * <p>
+ * To ease writing nonce-based CSP headers, this class replaces the {@code {nonce}}
+ * placeholder in the {@code policyDirectives} with a real nonce value read from a
+ * {@link ServerWebExchange#getAttribute(String) request attribute} named
+ * {@code _csp_nonce} (or another configured attribute name). A
+ * {@link org.springframework.security.web.server.header.NonceGeneratingWebFilter} can be
+ * configured to generate a unique secure random {@code _csp_nonce} attribute for each
+ * request.
+ *
+ * <p>
+ * For example, if the configured {@code policyDirectives} is {@code script-src 'self'
+ * 'nonce-{nonce}'}, and a
+ * {@link org.springframework.security.web.server.header.NonceGeneratingWebFilter} has set
+ * the {@code _csp_nonce} attribute to {@code "Nc3n83cnSAd3wc3Sasdfn9"}, then the written
+ * HTTP header value would be {@code script-src 'self' 'nonce-Nc3n83cnSAd3wc3Sasdfn9'}.
+ *
  * @author Vedran Pavic
+ * @author Ziqin Wang
  * @since 5.1
  */
 public final class ContentSecurityPolicyServerHttpHeadersWriter implements ServerHttpHeadersWriter {
@@ -36,26 +62,48 @@ public final class ContentSecurityPolicyServerHttpHeadersWriter implements Serve
 
 	public static final String CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only";
 
+	public static final String DEFAULT_NONCE_ATTRIBUTE_NAME = "_csp_nonce";
+
+	public static final String NONCE_PLACEHOLDER = "{nonce}";
+
 	private @Nullable String policyDirectives;
 
 	private boolean reportOnly;
 
-	private @Nullable ServerHttpHeadersWriter delegate;
+	private String nonceAttributeName = DEFAULT_NONCE_ATTRIBUTE_NAME;
+
+	private boolean isNonceBased;
 
 	@Override
 	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
-		return (this.delegate != null) ? this.delegate.writeHttpHeaders(exchange) : Mono.empty();
+		return Mono.justOrEmpty(this.policyDirectives).flatMap(csp -> {
+			String headerName = resolveHeader(this.reportOnly);
+			HttpHeaders headers = exchange.getResponse().getHeaders();
+			if (!headers.containsHeader(headerName)) {
+				if (this.isNonceBased) {
+					String nonce = exchange.getAttribute(this.nonceAttributeName);
+					if (nonce == null) {
+						return Mono.error(new IllegalStateException("Nonce is unset"));
+					}
+					csp = csp.replace(NONCE_PLACEHOLDER, nonce);
+				}
+				headers.put(headerName, List.of(csp));
+			}
+			return Mono.empty();
+		});
 	}
 
 	/**
-	 * Set the policy directive(s) to be used in the response header.
+	 * Set the policy directive(s) to be used in the response header. The
+	 * {@code policyDirectives} may contain {@code {nonce}} as placeholders to be
+	 * replaced.
 	 * @param policyDirectives the policy directive(s)
 	 * @throws IllegalArgumentException if policyDirectives is {@code null} or empty
 	 */
 	public void setPolicyDirectives(String policyDirectives) {
 		Assert.hasLength(policyDirectives, "policyDirectives must not be null or empty");
 		this.policyDirectives = policyDirectives;
-		this.delegate = createDelegate();
+		this.isNonceBased = policyDirectives.contains(NONCE_PLACEHOLDER);
 	}
 
 	/**
@@ -65,16 +113,42 @@ public void setPolicyDirectives(String policyDirectives) {
 	 */
 	public void setReportOnly(boolean reportOnly) {
 		this.reportOnly = reportOnly;
-		this.delegate = createDelegate();
 	}
 
-	private @Nullable ServerHttpHeadersWriter createDelegate() {
-		if (this.policyDirectives == null) {
-			return null;
-		}
-		Builder builder = StaticServerHttpHeadersWriter.builder();
-		builder.header(resolveHeader(this.reportOnly), this.policyDirectives);
-		return builder.build();
+	/**
+	 * Sets the name of the {@link ServerWebExchange#getAttribute(String) exchange
+	 * attribute} from which the nonce value is taken. Defaults to {@code _csp_nonce} if
+	 * unset.
+	 * @param nonceAttributeName the name of the nonce attribute
+	 * @throws IllegalArgumentException if {@code nonceAttributeName} is {@code null} or
+	 * empty
+	 * @since 7.1
+	 */
+	public void setNonceAttributeName(String nonceAttributeName) {
+		Assert.hasLength(nonceAttributeName, "nonceAttributeName cannot be null or empty");
+		this.nonceAttributeName = nonceAttributeName;
+	}
+
+	/**
+	 * Returns the name of the {@link ServerWebExchange#getAttribute(String) request
+	 * attribute} from which the nonce value is taken. Defaults to {@code _csp_nonce} if
+	 * unset.
+	 * @return the name of the nonce attribute.
+	 * @since 7.1
+	 */
+	public String getNonceAttributeName() {
+		return this.nonceAttributeName;
+	}
+
+	/**
+	 * Returns whether the content security policy is nonce-based. The CSP is considered
+	 * nonce-based if the configured {@code policyDirectives} string contains a
+	 * {@code {nonce}} placeholder.
+	 * @return whether the content security policy is nonce-based
+	 * @since 7.1
+	 */
+	public boolean isNonceBased() {
+		return this.isNonceBased;
 	}
 
 	private static String resolveHeader(boolean reportOnly) {