CSP support #12084

[rymsha]

Fixes #12084

Adds a first-class ContentSecurityPolicy model on PortalRequest, plus a lib-portal JavaScript surface (portal.csp()) so site / page controllers, parts, layouts, and widgets can contribute directives, SHA hashes, and a request nonce alongside Java contributors. The final Content-Security-Policy header is composed at portal response-flush time in BasePortalHandler, so late additions during rendering still land in the header.

JavaScript API (lib-portal)

const portal = require('/lib/xp/portal');
const csp = portal.csp(); // request-scoped; same instance for the whole request

// One-shot strict baselines -- start restrictive, then open up:
csp.strict();        // default-src 'none'; base-uri 'none'; frame-ancestors 'none'
csp.strictDynamic(); // script-src 'nonce-...' 'strict-dynamic'; object-src 'none'; base-uri 'none'

// Typed source-list directives -- variadic CspSource and/or raw strings
csp.scriptSrc(portal.CspSource.SELF, 'https://cdn.example.com');
csp.styleSrc(portal.CspSource.SELF);
csp.imgSrc(portal.CspSource.SELF, portal.CspSource.DATA);
// also: defaultSrc, fontSrc, connectSrc, mediaSrc, objectSrc, frameSrc, workerSrc, manifestSrc, childSrc

// Restrictive directives
csp.frameAncestors(portal.CspSource.NONE);
csp.baseUri(portal.CspSource.SELF);
csp.formAction(portal.CspSource.SELF);

// Boolean directive + sandbox (unquoted tokens)
csp.upgradeInsecureRequests();
csp.sandbox(portal.SandboxFlag.ALLOW_SCRIPTS, portal.SandboxFlag.ALLOW_SAME_ORIGIN);

// Inline hashes (SHA of content, or precomputed digest)
csp.addScriptSrcSha('window.foo = 42;');
csp.addStyleSrcSha('body { color: red; }');

// Nonce -- wire into script-src, style-src, or both (the only directives a nonce is valid for)
const nonce = csp.nonceScriptSrc(); // -> script-src 'nonce-...'; returns the value
csp.nonceStyleSrc();                // -> style-src  'nonce-...' (same value)
// csp.nonce();                     // both at once

// Escape hatches for less-common / future directives
csp.add('require-trusted-types-for', ["'script'"]);
csp.set('script-src', [portal.CspSource.SELF]);

All directive methods are chainable. CspSource keyword constants are emitted single-quoted ('self', 'none', 'unsafe-inline', 'unsafe-eval', 'strict-dynamic', 'unsafe-hashes', 'wasm-unsafe-eval', 'report-sample'); scheme constants are emitted verbatim (data:, blob:). SandboxFlag constants are emitted unquoted (allow-scripts, allow-same-origin, ...).

Java API

PortalRequest.getContentSecurityPolicy() lazily creates a mutable, request-scoped ContentSecurityPolicy (same instance for the lifetime of the request; no separate Builder). It mirrors the JS surface:

ContentSecurityPolicy csp = req.getContentSecurityPolicy();

csp.strict();                 // or csp.strictDynamic();
csp.scriptSrc( CspSource.SELF, CspSource.STRICT_DYNAMIC );
csp.imgSrc( CspSource.SELF, CspSource.DATA );
csp.frameAncestors( CspSource.NONE );
csp.upgradeInsecureRequests();
csp.sandbox( SandboxFlag.ALLOW_SCRIPTS );
csp.addScriptSrcSha( inlineScriptBytes );

String nonce = csp.nonceScriptSrc(); // nonceStyleSrc() / nonce() for the others

csp.add( "require-trusted-types-for", "'script'" );
csp.set( "script-src", "'self'" );

All directive methods return ContentSecurityPolicy (chainable); build() renders the header value.

Presets

• strict() -- deny-all baseline: base-uri 'none'; default-src 'none'; frame-ancestors 'none'. Call it first, then open up only what you need.
• strictDynamic() -- the web.dev nonce-based "strict CSP": base-uri 'none'; object-src 'none'; script-src 'nonce-...' 'strict-dynamic'. The nonce is generated eagerly on script-src; retrieve it with nonceScriptSrc().

Semantics

• Merge: add is union (deduped) for every directive class (source-list, boolean, restrictive); set resets a directive's source list -- there is no freeze, so add after set still extends.
• Nonce: lazily generated, >= 128 bits, cached for the request. A nonce- source is valid only for script-src and style-src; nonceScriptSrc(), nonceStyleSrc() and nonce() (both) all return the same value and wire their target directive. If no nonce* method is called, no nonce- entry is emitted.
• Output: directives render in alphabetical order (deterministic); sources within a directive keep insertion order. 'unsafe-inline' and 'nonce-...' may coexist -- browser precedence rules apply.

Test plan

• ./gradlew :portal:portal-api:test :lib:lib-portal:test -- green.
• ContentSecurityPolicyTest (Java model) + CspHandlerScriptTest (script bridge) cover: typed/raw directives, restrictive directives, boolean, sandbox, hashes, the strict()/strictDynamic() presets, the nonceScriptSrc/nonceStyleSrc/nonce trio, and the CspSource keyword + scheme tokens.

Generated with Claude Code

[codacy-production]

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue
182 complexity
More details

AI Reviewer: run a review on demand. To trigger the first review automatically, go to your organization or repository integration settings. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codecov]

Codecov Report

❌ Patch coverage is 78.72340% with 50 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.02%. Comparing base (660fb27) to head (2f4e8ad).
⚠️ Report is 3 commits behind head on master.

Files with missing lines	Patch %	Lines
.../java/com/enonic/xp/lib/portal/csp/CspHandler.java	60.00%	28 Missing and 4 partials ⚠️
...om/enonic/xp/portal/csp/ContentSecurityPolicy.java	82.69%	18 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #12085      +/-   ##
============================================
- Coverage     86.04%   86.02%   -0.03%     
- Complexity    19377    19466      +89     
============================================
  Files          2544     2549       +5     
  Lines         65928    66162     +234     
  Branches       5289     5300      +11     
============================================
+ Hits          56728    56916     +188     
- Misses         6636     6678      +42     
- Partials       2564     2568       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rymsha]

Pushed bcc73e9406 — typed CSP API on top of the existing branch (no force-push, no rebase).

What changed

• New CspSource / SandboxFlag enums in portal-api (single-quoted vs. unquoted tokens, respectively).
• ContentSecurityPolicy grew typed per-directive methods (defaultSrc / scriptSrc / styleSrc / imgSrc / fontSrc / connectSrc / mediaSrc / objectSrc / frameSrc / workerSrc / manifestSrc / childSrc / frameAncestors / baseUri / formAction / upgradeInsecureRequests / sandbox) in CspSource... and String... overload pairs, plus addScriptSrcSha / addStyleSrcSha. Generic add / set / addSha remain as escape hatches.
• CspHandler forwarders + lib/xp/portal.ts extensions, plus exported CspSource / SandboxFlag as const constants (importable as both value and type).
• examples/portal/getCsp.js rewritten against the typed API.
• Tests: ContentSecurityPolicyTest 22 → 43; CspHandlerScriptTest 9 → 20.

Local tests

• ./gradlew :portal:portal-api:test :portal:portal-impl:test :lib:lib-portal:test — green
• ./gradlew :portal:portal-api:check :lib:lib-portal:check — green
• ./gradlew :lib:lint — green

CI on bcc73e9406
All required checks pass: build (11m24s), Analyze (java-kotlin / javascript-typescript / actions), CodeQL, Codacy. See https://github.com/enonic/xp/pull/12085/checks.