001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.wicket.protocol.http; 018 019import jakarta.servlet.http.HttpServletRequest; 020import jakarta.servlet.http.HttpServletResponse; 021 022import org.apache.wicket.request.component.IRequestablePage; 023 024/** 025 * Interface for the resource isolation policies. 026 * <p> 027 * Resource isolation policies are designed to protect against cross-origin attacks. 028 * <p> 029 * See {@link FetchMetadataResourceIsolationPolicy} for the default implementation used 030 * by {@link ResourceIsolationRequestCycleListener}. 031 * 032 * @see <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a> 033 * 034 * @author Santiago Diaz - saldiaz@google.com 035 * @author Ecenaz Jen Ozmen - ecenazo@google.com 036 */ 037@FunctionalInterface 038public interface IResourceIsolationPolicy 039{ 040 /** 041 * Indicates the outcome for a resource isolation policy for a request. When the outcome is 042 * {@link #UNKNOWN}, the next policy will be consulted. 043 * 044 * @author papegaaij 045 * 046 * @see IResourceIsolationPolicy#isRequestAllowed(jakarta.servlet.http.HttpServletRequest, org.apache.wicket.request.component.IRequestablePage) 047 */ 048 public enum ResourceIsolationOutcome 049 { 050 ALLOWED, DISALLOWED, UNKNOWN 051 } 052 053 /** 054 * Is the given request allowed. 055 * 056 * @param request 057 * request 058 * @param targetPage 059 * targeted page 060 * @return outcome, must not be <code>null</code> 061 */ 062 ResourceIsolationOutcome isRequestAllowed(HttpServletRequest request, 063 IRequestablePage targetPage); 064 065 /** 066 * Set possible response headers. 067 * 068 * @param response 069 */ 070 default void setHeaders(HttpServletResponse response) 071 { 072 } 073}