Proposal for public-facing APIs to implement Content Security Policy.

juneau-core/juneau-marshall/src/main/java/org/apache/juneau/html/HtmlDocSerializer.java

@@ -158,6 +158,84 @@ public class HtmlDocSerializer extends HtmlStrippedDocSerializer {
 	 */
 	public static final String HTMLDOC_asideFloat = PREFIX + ".asideFloat.s";
 
+	/**
+	 * Configuration property:  Content Security Policy (CSP) Hash algorithm name.
+	 *
+	 * <h5 class='section'>Property:</h5>
+	 * <ul class='spaced-list'>
+	 * 	<li><b>ID:</b>  {@link org.apache.juneau.html.HtmlDocSerializer#HTMLDOC_cspHash HTMLDOC_cspHash}
+	 * 	<li><b>Name:</b>  <js>"HtmlDocSerializer.cspHash.s"</js>
+	 * 	<li><b>Data type:</b>  {@link org.apache.juneau.html.annotation.CspHash}
+	 * 	<li><b>System property:</b>  <c>HtmlDocSerializer.cspHash</c>
+	 * 	<li><b>Environment variable:</b>  <c>HTMLDOCSERIALIZER_CSPHASH</c>
+	 * 	<li><b>Default:</b>  {@link org.apache.juneau.html.annotation.CspHash#DEFAULT}
+	 * 	<li><b>Session property:</b>  <jk>true</jk>
+	 * 	<li><b>Annotations:</b>
+	 * 		<ul>
+	 * 			<li class='ja'>{@link org.apache.juneau.html.annotation.HtmlDocConfig#cspHash()}
+	 * 		</ul>
+	 * 	<li><b>Methods:</b>
+	 * 		<ul>
+	 * 			<li class='jm'>{@link org.apache.juneau.html.HtmlDocSerializerBuilder#cspHash(org.apache.juneau.html.annotation.CspHash)}
+	 * 		</ul>
+	 * </ul>
+	 *
+	 * <h5 class='section'>Description:</h5>
+	 * <p>
+	 * Allows you to set a CSP Hash algorithm name.
+	 *
+	 * <p>
+	 * By default, this feature is disabled.
+	 *
+	 * <h5 class='section'>Example:</h5>
+	 * <p class='bcode w800'>
+	 *  <ja>@HtmlDocConfig</ja>(
+	 * 		cspHash=<js>"sha256"</js>
+	 * 	)
+	 * </p>
+	 * @since 9.0.0
+	 */
+	public static final String HTMLDOC_cspHash = PREFIX + ".cspHash.s";
+
+	/**
+	 * Configuration property:  Content Security Policy (CSP) nonce algorithm name.
+	 *
+	 * <h5 class='section'>Property:</h5>
+	 * <ul class='spaced-list'>
+	 * 	<li><b>ID:</b>  {@link org.apache.juneau.html.HtmlDocSerializer#HTMLDOC_cspNonce HTMLDOC_cspNonce}
+	 * 	<li><b>Name:</b>  <js>"HtmlDocSerializer.cspNonce.s"</js>
+	 * 	<li><b>Data type:</b>  {@link org.apache.juneau.html.annotation.CspNonce}
+	 * 	<li><b>System property:</b>  <c>HtmlDocSerializer.cspNonce</c>
+	 * 	<li><b>Environment variable:</b>  <c>HTMLDOCSERIALIZER_CSPNONCE</c>
+	 * 	<li><b>Default:</b>  {@link org.apache.juneau.html.annotation.CspNonce#DEFAULT}
+	 * 	<li><b>Session property:</b>  <jk>true</jk>
+	 * 	<li><b>Annotations:</b>
+	 * 		<ul>
+	 * 			<li class='ja'>{@link org.apache.juneau.html.annotation.HtmlDocConfig#cspNonce()}
+	 * 		</ul>
+	 * 	<li><b>Methods:</b>
+	 * 		<ul>
+	 * 			<li class='jm'>{@link org.apache.juneau.html.HtmlDocSerializerBuilder#cspNonce(org.apache.juneau.html.annotation.CspNonce)}
+	 * 		</ul>
+	 * </ul>
+	 *
+	 * <h5 class='section'>Description:</h5>
+	 * <p>
+	 * Allows you to set a CSP nonce algorithm name.
+	 *
+	 * <p>
+	 * By default, this feature is disabled.
+	 *
+	 * <h5 class='section'>Example:</h5>
+	 * <p class='bcode w800'>
+	 *  <ja>@HtmlDocConfig</ja>(
+	 * 		cspNonce=<js>"SecureRandom"</js>
+	 * 	)
+	 * </p>
+	 * @since 9.0.0
+	 */
+	public static final String HTMLDOC_cspNonce = PREFIX + ".cspNonce.s";
+
 	/**
 	 * Configuration property:  Footer section contents.
 	 *
@@ -717,6 +795,8 @@ public class HtmlDocSerializer extends HtmlStrippedDocSerializer {
 	//-------------------------------------------------------------------------------------------------------------------
 
 	private final String[] style, stylesheet, script, navlinks, head, header, nav, aside, footer;
+	private final CspHash cspHash;
+	private final CspNonce cspNonce;
 	private final AsideFloat asideFloat;
 	private final String noResultsMessage;
 	private final boolean nowrap;
@@ -776,6 +856,9 @@ public HtmlDocSerializer(ContextProperties cp, String produces, String accept) {
 		navlinks = cp.getArray(HTMLDOC_navlinks, String.class).orElse(new String[0]);
 		noResultsMessage = cp.getString(HTMLDOC_noResultsMessage).orElse("<p>no results</p>");
 		template = cp.getInstance(HTMLDOC_template, HtmlDocTemplate.class).orElseGet(BasicHtmlDocTemplate::new);
+
+		cspHash = cp.get(HTMLDOC_cspHash, CspHash.class).orElse(CspHash.DEFAULT);
+		cspNonce = cp.get(HTMLDOC_cspNonce, CspNonce.class).orElse(CspNonce.DEFAULT);
 
 		widgets = new HtmlWidgetMap();
 		widgets.append(cp.getInstanceArray(HTMLDOC_widgets, HtmlWidget.class).orElse(new HtmlWidget[0]));
@@ -845,6 +928,26 @@ protected final AsideFloat getAsideFloat() {
 		return asideFloat;
 	}
 
+	/**
+	 * CSP hash algorithm name.
+	 * @return
+	 *  CSP hash algorithm name.
+	 * @since 9.0.0
+	 */
+	protected final CspHash getCspHash() {
+		return cspHash;
+	}
+
+	/**
+	 * CSP nonce algorithm name.
+	 * @return
+	 *  CSP nonce algorithm name.
+	 * @since 9.0.0
+	 */
+	protected final CspNonce getCspNonce() {
+		return cspNonce;
+	}
+
 	/**
 	 * Footer section contents.
 	 *
@@ -996,6 +1099,8 @@ public OMap toMap() {
 					.a("asideFloat", asideFloat)
 					.a("footer", footer)
 					.a("style", style)
+					.a("cspHash", cspHash)
+					.a("cspNonce", cspNonce)
 					.a("head", head)
 					.a("stylesheet", stylesheet)
 					.a("nowrap", nowrap)
@@ -1004,4 +1109,5 @@ public OMap toMap() {
 					.a("widgets", widgets.keySet())
 			);
 	}
+
 }

juneau-core/juneau-marshall/src/main/java/org/apache/juneau/html/HtmlDocSerializerBuilder.java

@@ -12,19 +12,48 @@
 // ***************************************************************************************************************************
 package org.apache.juneau.html;
 
-import static org.apache.juneau.html.HtmlDocSerializer.*;
-
-import java.lang.annotation.*;
-import java.lang.reflect.*;
-import java.nio.charset.*;
-import java.util.*;
-
-import org.apache.juneau.*;
-import org.apache.juneau.http.header.*;
-import org.apache.juneau.internal.*;
-import org.apache.juneau.reflect.*;
-import org.apache.juneau.svl.*;
-import org.apache.juneau.xml.*;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_aside;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_asideFloat;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_cspHash;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_cspNonce;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_footer;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_head;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_header;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_nav;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_navlinks;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_navlinks_add;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_noResultsMessage;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_nowrap;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_script;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_script_add;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_style;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_style_add;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_stylesheet;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_stylesheet_add;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_template;
+import static org.apache.juneau.html.HtmlDocSerializer.HTMLDOC_widgets;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
+import java.nio.charset.Charset;
+import java.util.Locale;
+import java.util.Map;
+import java.util.TimeZone;
+
+import org.apache.juneau.ContextProperties;
+import org.apache.juneau.UriContext;
+import org.apache.juneau.UriRelativity;
+import org.apache.juneau.UriResolution;
+import org.apache.juneau.UriResolver;
+import org.apache.juneau.Visibility;
+import org.apache.juneau.html.annotation.CspHash;
+import org.apache.juneau.html.annotation.CspNonce;
+import org.apache.juneau.http.header.MediaType;
+import org.apache.juneau.internal.FluentSetter;
+import org.apache.juneau.internal.FluentSetters;
+import org.apache.juneau.reflect.AnnotationList;
+import org.apache.juneau.svl.VarResolverSession;
+import org.apache.juneau.xml.Namespace;
 
 /**
  * Builder class for building instances of HTML Doc serializers.
@@ -624,6 +653,98 @@ public HtmlDocSerializerBuilder applyAnnotations(AnnotationList al, VarResolverS
 		return this;
 	}
 
+	/**
+	 * Configuration property:  Content Security Policy (CSP) Hash algorithm name.
+	 *
+	 * <h5 class='section'>Property:</h5>
+	 * <ul class='spaced-list'>
+	 * 	<li><b>ID:</b>  {@link org.apache.juneau.html.HtmlDocSerializer#HTMLDOC_cspHash HTMLDOC_cspHash}
+	 * 	<li><b>Name:</b>  <js>"HtmlDocSerializer.cspHash.s"</js>
+	 * 	<li><b>Data type:</b>  {@link org.apache.juneau.html.annotation.CspHash}
+	 * 	<li><b>System property:</b>  <c>HtmlDocSerializer.cspHash</c>
+	 * 	<li><b>Environment variable:</b>  <c>HTMLDOCSERIALIZER_CSPHASH</c>
+	 * 	<li><b>Default:</b>  {@link org.apache.juneau.html.annotation.CspHash#DEFAULT}
+	 * 	<li><b>Session property:</b>  <jk>true</jk>
+	 * 	<li><b>Annotations:</b>
+	 * 		<ul>
+	 * 			<li class='ja'>{@link org.apache.juneau.html.annotation.HtmlDocConfig#cspHash()}
+	 * 		</ul>
+	 * 	<li><b>Methods:</b>
+	 * 		<ul>
+	 * 			<li class='jm'>{@link org.apache.juneau.html.HtmlDocSerializerBuilder#cspHash(org.apache.juneau.html.annotation.CspHash)}
+	 * 		</ul>
+	 * </ul>
+	 *
+	 * <h5 class='section'>Description:</h5>
+	 * <p>
+	 * Allows you to set a CSP Hash algorithm name.
+	 *
+	 * <p>
+	 * By default, this feature is disabled.
+	 *
+	 * <h5 class='section'>Example:</h5>
+	 * <p class='bcode w800'>
+	 *  <ja>@HtmlDocConfig</ja>(
+	 * 		cspHash=<js>"sha256"</js>
+	 * 	)
+	 * </p>
+	 * @param value
+	 * 	The new value for this property.
+	 * @return This object (for method chaining).
+	 * @since 9.0.0
+	 */
+	@FluentSetter
+	public HtmlDocSerializerBuilder cspHash(CspHash value) {
+		set(HTMLDOC_cspHash, value);
+		return this;
+	}
+
+	/**
+	 * Configuration property:  Content Security Policy (CSP) nonce algorithm name.
+	 *
+	 * <h5 class='section'>Property:</h5>
+	 * <ul class='spaced-list'>
+	 * 	<li><b>ID:</b>  {@link org.apache.juneau.html.HtmlDocSerializer#HTMLDOC_cspNonce HTMLDOC_cspNonce}
+	 * 	<li><b>Name:</b>  <js>"HtmlDocSerializer.cspNonce.s"</js>
+	 * 	<li><b>Data type:</b>  {@link org.apache.juneau.html.annotation.CspNonce}
+	 * 	<li><b>System property:</b>  <c>HtmlDocSerializer.cspNonce</c>
+	 * 	<li><b>Environment variable:</b>  <c>HTMLDOCSERIALIZER_CSPNONCE</c>
+	 * 	<li><b>Default:</b>  {@link org.apache.juneau.html.annotation.CspNonce#DEFAULT}
+	 * 	<li><b>Session property:</b>  <jk>true</jk>
+	 * 	<li><b>Annotations:</b>
+	 * 		<ul>
+	 * 			<li class='ja'>{@link org.apache.juneau.html.annotation.HtmlDocConfig#cspNonce()}
+	 * 		</ul>
+	 * 	<li><b>Methods:</b>
+	 * 		<ul>
+	 * 			<li class='jm'>{@link org.apache.juneau.html.HtmlDocSerializerBuilder#cspNonce(org.apache.juneau.html.annotation.CspNonce)}
+	 * 		</ul>
+	 * </ul>
+	 *
+	 * <h5 class='section'>Description:</h5>
+	 * <p>
+	 * Allows you to set a CSP nonce algorithm name.
+	 *
+	 * <p>
+	 * By default, this feature is disabled.
+	 *
+	 * <h5 class='section'>Example:</h5>
+	 * <p class='bcode w800'>
+	 *  <ja>@HtmlDocConfig</ja>(
+	 * 		cspNonce=<js>"SecureRandom"</js>
+	 * 	)
+	 * </p>
+	 * @param value
+	 * 	The new value for this property.
+	 * @return This object (for method chaining).
+	 * @since 9.0.0
+	 */
+	@FluentSetter
+	public HtmlDocSerializerBuilder cspNonce(CspNonce value) {
+		set(HTMLDOC_cspNonce, value);
+		return this;
+	}
+
 	@Override /* GENERATED - ContextBuilder */
 	public HtmlDocSerializerBuilder debug() {
 		super.debug();

juneau-core/juneau-marshall/src/main/java/org/apache/juneau/html/HtmlDocSerializerSession.java

@@ -19,6 +19,8 @@
 
 import org.apache.juneau.*;
 import org.apache.juneau.collections.*;
+import org.apache.juneau.html.annotation.CspHash;
+import org.apache.juneau.html.annotation.CspNonce;
 import org.apache.juneau.serializer.*;
 import org.apache.juneau.svl.*;
 
@@ -40,6 +42,8 @@ public class HtmlDocSerializerSession extends HtmlStrippedDocSerializerSession {
 	private final AsideFloat asideFloat;
 	private final Set<String> style, stylesheet, script;
 	private final boolean nowrap;
+	private final CspHash cspHash;
+	private final CspNonce cspNonce;
 
 	/**
 	 * Create a new session using properties specified in the context.
@@ -67,6 +71,9 @@ protected HtmlDocSerializerSession(HtmlDocSerializer ctx, SerializerSessionArgs
 		style = ASet.of(sp.get(HTMLDOC_style, String[].class).orElse(ctx.getStyle()));
 		stylesheet = ASet.of(sp.get(HTMLDOC_stylesheet, String[].class).orElse(ctx.getStylesheet()));
 		script = ASet.of(sp.get(HTMLDOC_script, String[].class).orElse(ctx.getScript()));
+
+		cspHash = sp.get(HTMLDOC_cspHash, CspHash.class).orElse(ctx.getCspHash());
+		cspNonce = sp.get(HTMLDOC_cspNonce, CspNonce.class).orElse(ctx.getCspNonce());
 
 		head = sp.get(HTMLDOC_head, String[].class).orElse(ctx.getHead());
 		nowrap = sp.get(HTMLDOC_nowrap, boolean.class).orElse(ctx.isNowrap());
@@ -142,6 +149,30 @@ protected final AsideFloat getAsideFloat() {
 		return asideFloat;
 	}
 
+	/**
+	 * Configuration property:  CSP hash algorithm name.
+	 *
+	 * @see HtmlDocSerializer#HTMLDOC_cspHash
+	 * @return
+	 * 	CSP hash algorithm name.
+	 * @since 9.0.0
+	 */
+	protected final CspHash getCspHash() {
+		return cspHash;
+	}
+
+	/**
+	 * Configuration property:  CSP nonce algorithm name.
+	 *
+	 * @see HtmlDocSerializer#HTMLDOC_cspNonce
+	 * @return
+	 * 	CSP nonce algorithm name.
+	 * @since 9.0.0
+	 */
+	protected final CspNonce getCspNonce() {
+		return cspNonce;
+	}
+
 	/**
 	 * Configuration property:  Footer section contents.
 	 *
@@ -294,8 +325,11 @@ public OMap toMap() {
 					.a("navlinks", navlinks)
 					.a("script", script)
 					.a("style", style)
+					.a("cspHash", cspHash)
+					.a("cspNonce", cspNonce)
 					.a("stylesheet", stylesheet)
 					.a("varResolver", getVarResolver())
 			);
 	}
+
 }