Search code examples
javauriwicketcontent-security-policywebdav

Configure content security policy according to office uri scheme


I am trying to configure a content security policy for a Java web application.

I am currently overriding the init method of Webapplication like this:

final CSPHeaderConfiguration cspHeaderConfiguration = getCspSettings().blocking().unsafeInline();

I am aware that this is not the best option, but, as I am modifying an existing application, I just want to integrate a less secure policy and then upgrade over time as a stricter option causes other issues.

This is working pretty well and the resulting CSP-Header looks like this:

Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; manifest-src 'self'; child-src 'self'; base-uri 'self'; frame-src 'self'

This works fine except when I try to open file using the microsoft office uri scheme. More specifically I open a word document using an iframe with webdav.

I set the url of the iframe like this:

$('body').append('<iframe class="open-direct-link-iframe" style="display:none"></iframe>');
$iframe = $('.open-direct-link-iframe');
iframe.attr('src',ms-word:ofe|u|https://localhost:8443/app/api/webdav/Asset/A3A2523A7FB23E650D1FD89BD5246F10-184/5/Word-document.docx'

Without the csp this works fine. However with it I get the following error message:

Content-Security-Policy: The page’s settings blocked the loading of a resource at ms-word:ofe|u|https://localhost:8443/app/api/webdav/Asset/A3A2523A7FB23E650D1FD89BD5246F10-184/5/Microsoft Word-document.docx (“frame-src”).

I can not figure out how to configure the csp correctly. If I use a normal url for my iframe like https://localhost:8443/app/home this works fine, so I am certain then the issue lies with word:ofe|u|


Solution

  • The solution I arrived at is this:

    cspHeaderConfiguration.add(CSPDirective.FRAME_SRC, (settings, cycle) -> "ms-word:");
    

    I do not know how correct this is in terms of security, but it at least allows to activate CSP with unsafeinline which is better than nothing.