001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.wicket.coop; 018 019import org.apache.wicket.Application; 020import org.apache.wicket.protocol.http.WebApplication; 021import org.apache.wicket.util.lang.Args; 022 023import java.util.Arrays; 024import java.util.HashSet; 025import java.util.Set; 026 027/** 028 * Specifies the configuration for Cross-Origin Opener Policy to be used by 029 * {@link CrossOriginOpenerPolicyRequestCycleListener} when adding COOP headers. Users can specify the paths that 030 * should be exempt from COOP and one of 4 modes 031 * (<code>UNSAFE_NONE, SAME_ORIGIN, SAME_ORIGIN_ALLOW_POPUPS, DISABLED</code>) for the policy. The 032 * config object lives in {@link org.apache.wicket.settings.SecuritySettings}, users can specify 033 * their COOP preferences with the following lines in their application's 034 * {@link WebApplication#init()} method: 035 * 036 * <pre> 037 * @Override 038 * protected void init() 039 * { 040 * // ... 041 * getSecuritySettings().setCrossOriginOpenerPolicyConfiguration(CoopMode.SAME_ORIGIN, 042 * "EXEMPTED PATHS"); 043 * // ... 044 * } 045 * </pre> 046 * 047 * The config value will be read once at startup in {@link Application#initApplication()}, changing 048 * the configuration at runtime will have no effect of the COOP headers set. 049 * 050 * @author Santiago Diaz - saldiaz@google.com 051 * @author Ecenaz Jen Ozmen - ecenazo@google.com 052 * 053 * @see CrossOriginOpenerPolicyRequestCycleListener 054 * @see org.apache.wicket.settings.SecuritySettings 055 */ 056public class CrossOriginOpenerPolicyConfiguration 057{ 058 public enum CoopMode 059 { 060 UNSAFE_NONE("unsafe-none"), 061 SAME_ORIGIN("same-origin"), 062 SAME_ORIGIN_ALLOW_POPUPS("same-origin-allow-popups"), 063 DISABLED(""); 064 065 final String keyword; 066 067 CoopMode(String keyword) 068 { 069 this.keyword = keyword; 070 } 071 } 072 073 074 private final Set<String> exemptions = new HashSet<>(); 075 private final CoopMode mode; 076 077 public CrossOriginOpenerPolicyConfiguration(CoopMode mode, String... exemptions) 078 { 079 this.exemptions.addAll(Arrays.asList(exemptions)); 080 this.mode = Args.notNull(mode, "mode"); 081 } 082 083 public CrossOriginOpenerPolicyConfiguration(CoopMode mode) 084 { 085 this.mode = Args.notNull(mode, "mode"); 086 } 087 088 public CrossOriginOpenerPolicyConfiguration addExemptedPath(String path) 089 { 090 exemptions.add(path); 091 return this; 092 } 093 094 public Set<String> getExemptions() 095 { 096 return exemptions; 097 } 098 099 public CoopMode getMode() 100 { 101 return mode; 102 } 103 104 public String getHeaderValue() 105 { 106 return mode.keyword; 107 } 108 109 public boolean isEnabled() 110 { 111 return mode != CoopMode.DISABLED; 112 } 113}