001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.wicket.protocol.http;
018
019import javax.servlet.http.HttpServletRequest;
020import javax.servlet.http.HttpServletResponse;
021
022import org.apache.wicket.request.component.IRequestablePage;
023
024/**
025 * Interface for the resource isolation policies.
026 * <p>
027 * Resource isolation policies are designed to protect against cross origin attacks.
028 * <p>
029 * See {@link FetchMetadataResourceIsolationPolicy} for the default implementation used
030 * by {@link ResourceIsolationRequestCycleListener}.
031 *
032 * @see <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
033 *
034 * @author Santiago Diaz - saldiaz@google.com
035 * @author Ecenaz Jen Ozmen - ecenazo@google.com
036 */
037@FunctionalInterface
038public interface IResourceIsolationPolicy
039{
040        /**
041         * Indicates the outcome for a resource isolation policy for a request. When the outcome is
042         * {@link #UNKNOWN}, the next policy will be consulted.
043         * 
044         * @author papegaaij
045         * 
046         * @see IResourceIsolationPolicy#isRequestAllowed(javax.servlet.http.HttpServletRequest, org.apache.wicket.request.component.IRequestablePage)
047         */
048        public enum ResourceIsolationOutcome
049        {
050                ALLOWED, DISALLOWED, UNKNOWN
051        }
052
053        /**
054         * Is the given request allowed.
055         * 
056         * @param request
057         *            request
058         * @param targetPage
059         *            targeted page
060         * @return outcome, must not be <code>null</code>
061         */
062        ResourceIsolationOutcome isRequestAllowed(HttpServletRequest request,
063                IRequestablePage targetPage);
064
065        /**
066         * Set possible response headers.
067         * 
068         * @param response
069         */
070        default void setHeaders(HttpServletResponse response)
071        {
072        }
073}