2929import javax .servlet .http .HttpServletResponse ;
3030import java .security .SecureRandom ;
3131import java .util .Base64 ;
32- import java .util .Objects ;
3332
3433import static java .lang .String .format ;
3534
@@ -86,16 +85,18 @@ public void addCspHeaders(HttpServletRequest request, HttpServletResponse respon
8685 private void addCspHeadersWithSession (HttpServletRequest request , HttpServletResponse response ) {
8786 if (isSessionActive (request )) {
8887 LOG .trace ("Session is active, applying CSP settings" );
89- request .getSession ().setAttribute (NONCE_KEY , generateNonceValue ());
90- response .setHeader (cspHeader , createPolicyFormat (request ));
88+ String nonceValue = generateNonceValue ();
89+ request .getSession ().setAttribute (NONCE_KEY , nonceValue );
90+ response .setHeader (cspHeader , createPolicyFormat (nonceValue ));
9191 } else {
9292 LOG .debug ("Session is not active, ignoring CSP settings" );
9393 }
9494 }
9595
9696 private void addCspHeadersWithRequest (HttpServletRequest request , HttpServletResponse response ) {
97- request .setAttribute (NONCE_KEY , generateNonceValue ());
98- response .setHeader (cspHeader , createPolicyFormat (request ));
97+ String nonceValue = generateNonceValue ();
98+ request .setAttribute (NONCE_KEY , nonceValue );
99+ response .setHeader (cspHeader , createPolicyFormat (nonceValue ));
99100 }
100101
101102 private boolean isSessionActive (HttpServletRequest request ) {
@@ -106,34 +107,45 @@ private String generateNonceValue() {
106107 return Base64 .getUrlEncoder ().encodeToString (getRandomBytes ());
107108 }
108109
109- protected String createPolicyFormat (HttpServletRequest request ) {
110- StringBuilder policyFormatBuilder = new StringBuilder ()
110+ protected String createPolicyFormat (String nonceValue ) {
111+ StringBuilder builder = new StringBuilder ()
111112 .append (OBJECT_SRC )
112113 .append (format (" '%s'; " , NONE ))
113114 .append (SCRIPT_SRC )
114- .append (" 'nonce-%s' " ) // nonce placeholder
115+ .append (format ( " 'nonce-%s' " , nonceValue ))
115116 .append (format ("'%s' " , STRICT_DYNAMIC ))
116117 .append (format ("%s %s; " , HTTP , HTTPS ))
117118 .append (BASE_URI )
118119 .append (format (" '%s'; " , NONE ));
119120
120121 if (reportUri != null ) {
121- policyFormatBuilder
122+ builder
122123 .append (REPORT_URI )
123- .append (format (" %s; " , reportUri ));
124+ .append (format (" %s;" , reportUri ));
124125 if (reportTo != null ) {
125- policyFormatBuilder
126+ builder
126127 .append (REPORT_TO )
127- .append (format (" %s; " , reportTo ));
128+ .append (format (" %s;" , reportTo ));
128129 }
129130 }
130131
131- return format (policyFormatBuilder .toString (), getNonceString (request ));
132+ return builder .toString ();
133+ }
134+
135+ /**
136+ * @deprecated since 6.8.0, for removal
137+ */
138+ @ Deprecated
139+ protected String createPolicyFormat (HttpServletRequest request ) {
140+ throw new UnsupportedOperationException ("Unsupported implementation, use #createPolicyFormat(String) instead!" );
132141 }
133142
143+ /**
144+ * @deprecated since 6.8.0, for removal
145+ */
146+ @ Deprecated
134147 protected String getNonceString (HttpServletRequest request ) {
135- Object nonce = request .getSession ().getAttribute (NONCE_KEY );
136- return Objects .toString (nonce );
148+ throw new UnsupportedOperationException ("Unsupported implementation, don't use!" );
137149 }
138150
139151 private byte [] getRandomBytes () {
0 commit comments