CLOUDSTACK-9833: Added content security policy in HTTP servlet response to detect and mitigate certain type of attacks.

Restricted image source, style sheets, java scripts, URLs to be loaded only from self.

Author: Harikrishna Patnala

utils/src/main/java/com/cloud/utils/HttpUtils.java

@@ -50,6 +50,17 @@ public static void addSecurityHeaders(final HttpServletResponse resp) {
         else {
             resp.addHeader("X-XSS-Protection", "1;mode=block");
         }
+
+        if (resp.containsHeader("content-security-policy")) {
+            resp.setIntHeader("content-security-policy", 1);
+        }else {
+            resp.addIntHeader("content-security-policy", 1);
+        }
+        resp.addHeader("content-security-policy","default-src=none");
+        resp.addHeader("content-security-policy","script-src=self");
+        resp.addHeader("content-security-policy","connect-src=self");
+        resp.addHeader("content-security-policy","img-src=self");
+        resp.addHeader("content-security-policy","style-src=self");
     }
 
     public static void writeHttpResponse(final HttpServletResponse resp, final String response,