java.lang.Object
- org.apache.wicket.protocol.http.OriginResourceIsolationPolicy

All Implemented Interfaces:

IResourceIsolationPolicy

Direct Known Subclasses:

CsrfPreventionRequestCycleListener
```
public class OriginResourceIsolationPolicy
extends Object
implements IResourceIsolationPolicy
```
IResourceIsolationPolicy based on WebRequest.HEADER_ORIGIN and WebRequest.HEADER_REFERER headers.
This origin-based listener can be used in combination with the ResourceIsolationRequestCycleListener to add support for legacy browsers that don't send Sec-Fetch-* headers yet.

Nested Class Summary
- Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
  IResourceIsolationPolicy.ResourceIsolationOutcome

Constructor Summary

Constructors
Constructor Description

OriginResourceIsolationPolicy()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`OriginResourceIsolationPolicy`	`addAcceptedOrigin(String acceptedOrigin)`	Adds an origin (host name/domain name) to the white list.
`protected String`	`getTargetUriFromRequest(javax.servlet.http.HttpServletRequest request)`	Creates a RFC-6454 comparable URI from the `request` requested resource.
`protected boolean`	`isLocalOrigin(javax.servlet.http.HttpServletRequest containerRequest, String originHeader)`	Checks whether the `Origin` HTTP header of the request matches where the request came from.
`IResourceIsolationPolicy.ResourceIsolationOutcome`	`isRequestAllowed(javax.servlet.http.HttpServletRequest request, IRequestablePage targetPage)`	Is the given request allowed.
`protected boolean`	`isWhitelistedHost(String sourceUri)`	Checks whether the domain part of the `sourceUri` (`Origin` or `Referer` header) is whitelisted.
`protected String`	`normalizeUri(String uri)`	Creates a RFC-6454 comparable URI from the `uri` string.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
setHeaders

- Constructor Detail
  - OriginResourceIsolationPolicy
```
public OriginResourceIsolationPolicy()
```
- Method Detail
  - addAcceptedOrigin
```
public OriginResourceIsolationPolicy addAcceptedOrigin(String acceptedOrigin)
```
    Adds an origin (host name/domain name) to the white list. An origin is in the form of <domainname>.<TLD>, and can contain a subdomain. Every Origin header that matches a domain from the whitelist is accepted and not checked any further for CSRF issues. E.g. when example.com is in the white list, this allows requests from (i.e. with an Origin: header containing) example.com and blabla.example.com but rejects requests from blablaexample.com and example2.com.
    
    Parameters:
    
    acceptedOrigin - the acceptable origin
    
    Returns:
    
    this
  - isRequestAllowed
```
public IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed(javax.servlet.http.HttpServletRequest request,
                                                                          IRequestablePage targetPage)
```
    Description copied from interface: IResourceIsolationPolicy
    
    Is the given request allowed.
    
    Specified by:
    
    isRequestAllowed in interface IResourceIsolationPolicy
    
    Parameters:
    
    request - request
    
    targetPage - targeted page
    
    Returns:
    
    whether the request is allowed based on its origin
  - isLocalOrigin
```
protected boolean isLocalOrigin(javax.servlet.http.HttpServletRequest containerRequest,
                                String originHeader)
```
    Checks whether the Origin HTTP header of the request matches where the request came from.
    
    Parameters:
    
    containerRequest - the current container request
    
    originHeader - the contents of the Origin HTTP header
    
    Returns:
    
    true when the origin of the request matches the Origin HTTP header
  - getTargetUriFromRequest
```
protected final String getTargetUriFromRequest(javax.servlet.http.HttpServletRequest request)
```
    Creates a RFC-6454 comparable URI from the request requested resource.
    
    Parameters:
    
    request - the incoming request
    
    Returns:
    
    only the scheme://host[:port] part, or null when the origin string is not compliant
  - normalizeUri
```
protected final String normalizeUri(String uri)
```
    Creates a RFC-6454 comparable URI from the uri string.
    
    Parameters:
    
    uri - the contents of the Origin or Referer HTTP header
    
    Returns:
    
    only the scheme://host[:port] part, or null when the URI string is not compliant
  - isWhitelistedHost
```
protected boolean isWhitelistedHost(String sourceUri)
```
    Checks whether the domain part of the sourceUri (Origin or Referer header) is whitelisted.
    
    Parameters:
    
    sourceUri - the contents of the Origin or Referer HTTP header
    
    Returns:
    
    true when the source domain was whitelisted

Class OriginResourceIsolationPolicy

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Methods inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy

Constructor Detail

OriginResourceIsolationPolicy

Method Detail

addAcceptedOrigin

isRequestAllowed

isLocalOrigin

getTargetUriFromRequest

normalizeUri

isWhitelistedHost