From f13a5a090fe49be645458e59e6213d6e20a2fb1f Mon Sep 17 00:00:00 2001 From: aditya-gupta36 Date: Tue, 2 Dec 2025 20:00:30 +0530 Subject: [PATCH] ATLAS-5160: Remove deprecated X-XSS-PROTECTION header from HTTP response headers initialization and Atlas Spring Security Config --- .../main/java/org/apache/atlas/web/filters/HeadersUtil.java | 3 --- .../org/apache/atlas/web/security/AtlasSecurityConfig.java | 3 ++- .../java/org/apache/atlas/web/filters/HeaderUtilsTest.java | 1 - .../apache/atlas/web/security/AtlasSecurityConfigTest.java | 6 ++++++ 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java b/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java index dbec3cdbfab..08a6b1a2922 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java @@ -35,12 +35,10 @@ public class HeadersUtil { public static final String X_FRAME_OPTIONS_KEY = "X-Frame-Options"; public static final String X_CONTENT_TYPE_OPTIONS_KEY = "X-Content-Type-Options"; - public static final String X_XSS_PROTECTION_KEY = "X-XSS-Protection"; public static final String STRICT_TRANSPORT_SEC_KEY = "Strict-Transport-Security"; public static final String CONTENT_SEC_POLICY_KEY = "Content-Security-Policy"; public static final String X_FRAME_OPTIONS_VAL = "DENY"; public static final String X_CONTENT_TYPE_OPTIONS_VAL = "nosniff"; - public static final String X_XSS_PROTECTION_VAL = "1; mode=block"; public static final String STRICT_TRANSPORT_SEC_VAL = "max-age=31536000; includeSubDomains"; public static final String CONTENT_SEC_POLICY_VAL = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:"; public static final String SERVER_KEY = "Server"; @@ -79,7 +77,6 @@ public static void initializeHttpResponseHeaders(Properties configuredHeaders) { HEADER_MAP.put(X_FRAME_OPTIONS_KEY, X_FRAME_OPTIONS_VAL); HEADER_MAP.put(X_CONTENT_TYPE_OPTIONS_KEY, X_CONTENT_TYPE_OPTIONS_VAL); - HEADER_MAP.put(X_XSS_PROTECTION_KEY, X_XSS_PROTECTION_VAL); HEADER_MAP.put(STRICT_TRANSPORT_SEC_KEY, STRICT_TRANSPORT_SEC_VAL); HEADER_MAP.put(CONTENT_SEC_POLICY_KEY, CONTENT_SEC_POLICY_VAL); HEADER_MAP.put(SERVER_KEY, AtlasConfiguration.HTTP_HEADER_SERVER_VALUE.getString()); diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java index 3d81e9917e1..b7bd15c60a8 100644 --- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java +++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java @@ -195,7 +195,8 @@ protected void configure(HttpSecurity httpSecurity) throws Exception { //@formatter:off httpSecurity.authorizeRequests().anyRequest().authenticated() .and() - .headers() + // Why disable() xssProtection -> By default Spring Security automatically adds security headers unless you disable them. No Modern Browsers support and its replaced by "Content-Security-Policy" + .headers().xssProtection().disable() .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, HeadersUtil.getHeaderMap(HeadersUtil.CONTENT_SEC_POLICY_KEY))) .addHeaderWriter(new StaticHeadersWriter(SERVER_KEY, HeadersUtil.getHeaderMap(SERVER_KEY))) .and() diff --git a/webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java b/webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java index d3927f698e9..8b44839b3bd 100644 --- a/webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java @@ -93,7 +93,6 @@ public void testDefaultHeadersArePresent() { assertEquals("DENY", HeadersUtil.getHeaderMap(HeadersUtil.X_FRAME_OPTIONS_KEY)); assertEquals("nosniff", HeadersUtil.getHeaderMap(HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY)); - assertEquals("1; mode=block", HeadersUtil.getHeaderMap(HeadersUtil.X_XSS_PROTECTION_KEY)); } private Properties createPropertiesWithHeaders(String... headers) { diff --git a/webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java b/webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java index 0ad2001f04b..fcdde2dccb3 100644 --- a/webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java +++ b/webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java @@ -499,6 +499,7 @@ private void setupHttpSecurityMocksFor(HttpSecurity httpSecurity) throws Excepti ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry mockAuthRequests = mock(ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.class); ExpressionUrlAuthorizationConfigurer.AuthorizedUrl mockAuthorizedUrl = mock(ExpressionUrlAuthorizationConfigurer.AuthorizedUrl.class); HeadersConfigurer mockHeadersConfigurer = mock(HeadersConfigurer.class); + HeadersConfigurer.XXssConfig mockXssConfigurer = mock(HeadersConfigurer.XXssConfig.class); ServletApiConfigurer mockServletApiConfigurer = mock(ServletApiConfigurer.class); CsrfConfigurer mockCsrfConfigurer = mock(CsrfConfigurer.class); SessionManagementConfigurer mockSessionConfigurer = mock(SessionManagementConfigurer.class); @@ -514,6 +515,8 @@ private void setupHttpSecurityMocksFor(HttpSecurity httpSecurity) throws Excepti when(mockAuthRequests.and()).thenReturn(httpSecurity); when(httpSecurity.headers()).thenReturn(mockHeadersConfigurer); + when(mockHeadersConfigurer.xssProtection()).thenReturn(mockXssConfigurer); + when(mockXssConfigurer.disable()).thenReturn(mockHeadersConfigurer); when(mockHeadersConfigurer.addHeaderWriter(any(StaticHeadersWriter.class))).thenReturn(mockHeadersConfigurer); when(mockHeadersConfigurer.and()).thenReturn(httpSecurity); @@ -857,6 +860,7 @@ private void setupHttpSecurityMocks() throws Exception { ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry mockAuthRequests = mock(ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.class); ExpressionUrlAuthorizationConfigurer.AuthorizedUrl mockAuthorizedUrl = mock(ExpressionUrlAuthorizationConfigurer.AuthorizedUrl.class); HeadersConfigurer mockHeadersConfigurer = mock(HeadersConfigurer.class); + HeadersConfigurer.XXssConfig mockXssConfigurer = mock(HeadersConfigurer.XXssConfig.class); ServletApiConfigurer mockServletApiConfigurer = mock(ServletApiConfigurer.class); CsrfConfigurer mockCsrfConfigurer = mock(CsrfConfigurer.class); SessionManagementConfigurer mockSessionConfigurer = mock(SessionManagementConfigurer.class); @@ -872,6 +876,8 @@ private void setupHttpSecurityMocks() throws Exception { when(mockAuthRequests.and()).thenReturn(mockHttpSecurity); when(mockHttpSecurity.headers()).thenReturn(mockHeadersConfigurer); + when(mockHeadersConfigurer.xssProtection()).thenReturn(mockXssConfigurer); + when(mockXssConfigurer.disable()).thenReturn(mockHeadersConfigurer); when(mockHeadersConfigurer.addHeaderWriter(any(StaticHeadersWriter.class))).thenReturn(mockHeadersConfigurer); when(mockHeadersConfigurer.and()).thenReturn(mockHttpSecurity);