SaaiAravindhRaja
diff --git a/‎conf/openmetadata.yaml‎
Lines changed: 1 addition & 1 deletion b/‎conf/openmetadata.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java‎
Lines changed: 5 additions & 0 deletions b/‎openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎openmetadata-service/src/main/java/org/openmetadata/service/exception/OMErrorPageHandler.java‎
Lines changed: 19 additions & 3 deletions b/‎openmetadata-service/src/main/java/org/openmetadata/service/exception/OMErrorPageHandler.java‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java‎
Lines changed: 38 additions & 14 deletions b/‎openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java‎
Lines changed: 38 additions & 14 deletions
diff --git a/‎openmetadata-service/src/main/java/org/openmetadata/service/security/CspNonceHandler.java‎
Lines changed: 75 additions & 0 deletions b/‎openmetadata-service/src/main/java/org/openmetadata/service/security/CspNonceHandler.java‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎openmetadata-service/src/main/java/org/openmetadata/service/socket/OpenMetadataAssetServlet.java‎
Lines changed: 5 additions & 4 deletions b/‎openmetadata-service/src/main/java/org/openmetadata/service/socket/OpenMetadataAssetServlet.java‎
Lines changed: 5 additions & 4 deletions
@@ -689,7 +689,7 @@ web:
     block: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true}
   csp:
     enabled: ${WEB_CONF_XSS_CSP_ENABLED:-false}
-    policy: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"}
+    policy: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'; base-uri 'self'; script-src 'self' 'nonce-__CSP_NONCE__' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src * 'self' blob: data:; media-src * 'self' blob:; worker-src 'self' blob:; frame-src 'self' https://www.youtube.com; object-src 'none'; connect-src 'self';"}
     reportOnlyPolicy: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""}
   referrer-policy:
     enabled: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false}
 
@@ -150,6 +150,7 @@
 import org.openmetadata.service.security.AuthenticationCodeFlowHandler;
 import org.openmetadata.service.security.Authorizer;
 import org.openmetadata.service.security.ContainerRequestFilterManager;
+import org.openmetadata.service.security.CspNonceHandler;
 import org.openmetadata.service.security.DelegatingContainerRequestFilter;
 import org.openmetadata.service.security.NoopAuthorizer;
 import org.openmetadata.service.security.NoopFilter;
@@ -1056,6 +1057,10 @@ private void registerResources(
     OMErrorPageHandler eph = new OMErrorPageHandler(config.getWebConfiguration());
     eph.addErrorPage(Response.Status.NOT_FOUND.getStatusCode(), "/");
     environment.getApplicationContext().setErrorHandler(eph);
+
+    CspNonceHandler cspNonceHandler = new CspNonceHandler();
+    cspNonceHandler.setHandler(environment.getApplicationContext().getHandler());
+    environment.getApplicationContext().setHandler(cspNonceHandler);
   }
 
   private void initializeWebsockets(
 
@@ -14,6 +14,8 @@
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.util.Callback;
 import org.openmetadata.service.config.OMWebConfiguration;
+import org.openmetadata.service.config.web.CspHeaderFactory;
+import org.openmetadata.service.security.CspNonceHandler;
 
 /**
  * Custom error page handler that adds security headers to error responses. This is compatible with
@@ -41,7 +43,7 @@ protected boolean generateAcceptableResponse(
       Throwable cause)
       throws IOException {
     // Add security headers to the response before generating the error page
-    setSecurityHeaders(this.webConfiguration, response);
+    setSecurityHeaders(this.webConfiguration, request, response);
     return super.generateAcceptableResponse(
         request, response, callback, contentType, charsets, code, message, cause);
   }
@@ -50,9 +52,11 @@ protected boolean generateAcceptableResponse(
    * Sets security headers on the Jetty Response object (new Jetty 12.1 API).
    *
    * @param webConfiguration the web configuration containing header settings
+   * @param request the Jetty Request object
    * @param response the Jetty Response object
    */
-  public static void setSecurityHeaders(OMWebConfiguration webConfiguration, Response response) {
+  public static void setSecurityHeaders(
+      OMWebConfiguration webConfiguration, Request request, Response response) {
     // Hsts
     if (webConfiguration.getHstsHeaderFactory() != null) {
       webConfiguration
@@ -90,7 +94,19 @@ public static void setSecurityHeaders(OMWebConfiguration webConfiguration, Respo
       webConfiguration
           .getCspHeaderFactory()
           .build()
-          .forEach((name, value) -> response.getHeaders().put(new HttpField(name, value)));
+          .forEach(
+              (name, value) -> {
+                if ((name.equals(CspHeaderFactory.CSP_HEADER)
+                        || name.equals(CspHeaderFactory.CSP_REPORT_ONLY_HEADER))
+                    && value.contains(CspNonceHandler.CSP_NONCE_PLACEHOLDER)) {
+                  final String nonce =
+                      (String) request.getAttribute(CspNonceHandler.CSP_NONCE_ATTRIBUTE);
+                  if (nonce != null) {
+                    value = value.replace(CspNonceHandler.CSP_NONCE_PLACEHOLDER, nonce);
+                  }
+                }
+                response.getHeaders().put(new HttpField(name, value));
+              });
     }
 
     // Referrer Policy
 
@@ -1,28 +1,45 @@
 package org.openmetadata.service.resources.system;
 
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import java.io.BufferedReader;
+import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.stream.Collectors;
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.service.OpenMetadataApplicationConfig;
+import org.openmetadata.service.security.CspNonceHandler;
 
 @Slf4j
 @Path("/")
 public class IndexResource {
+  private static final String RAW_INDEX_HTML;
+
+  static {
+    try (InputStream inputStream = IndexResource.class.getResourceAsStream("/assets/index.html")) {
+      if (inputStream == null) {
+        throw new IllegalStateException("Missing required resource: /assets/index.html");
+      }
+      RAW_INDEX_HTML =
+          new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8))
+              .lines()
+              .collect(Collectors.joining("\n"));
+    } catch (IOException e) {
+      throw new IllegalStateException("Failed to load /assets/index.html", e);
+    }
+  }
+
   private String indexHtml;
 
   public IndexResource() {
-    InputStream inputStream = getClass().getResourceAsStream("/assets/index.html");
-    indexHtml =
-        new BufferedReader(new InputStreamReader(inputStream))
-            .lines()
-            .collect(Collectors.joining("\n"));
+    indexHtml = RAW_INDEX_HTML;
   }
 
   public void initialize(OpenMetadataApplicationConfig config) {
@@ -32,13 +49,7 @@ public void initialize(OpenMetadataApplicationConfig config) {
   public static String getIndexFile(String basePath) {
     LOG.info("IndexResource.getIndexFile called with basePath: [{}]", basePath);
 
-    InputStream inputStream = IndexResource.class.getResourceAsStream("/assets/index.html");
-    String indexHtml =
-        new BufferedReader(new InputStreamReader(inputStream))
-            .lines()
-            .collect(Collectors.joining("\n"));
-
-    String result = indexHtml.replace("${basePath}", basePath);
+    String result = RAW_INDEX_HTML.replace("${basePath}", basePath);
     String basePathLine =
         result
             .lines()
@@ -50,9 +61,22 @@ public static String getIndexFile(String basePath) {
     return result;
   }
 
+  public static String getIndexFile(String basePath, String cspNonce) {
+    String html = getIndexFile(basePath);
+    if (cspNonce != null && !cspNonce.isEmpty()) {
+      html = html.replace("${cspNonce}", cspNonce);
+    }
+    return html;
+  }
+
   @GET
   @Produces(MediaType.TEXT_HTML)
-  public Response getIndex() {
-    return Response.ok(indexHtml).build();
+  public Response getIndex(@Context HttpServletRequest request) {
+    final String cspNonce = (String) request.getAttribute(CspNonceHandler.CSP_NONCE_ATTRIBUTE);
+    String html = indexHtml;
+    if (cspNonce != null && !cspNonce.isEmpty()) {
+      html = html.replace("${cspNonce}", cspNonce);
+    }
+    return Response.ok(html).build();
   }
 }
@@ -0,0 +1,75 @@
+/*
+ *  Copyright 2021 Collate
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.openmetadata.service.security;
+
+import java.security.SecureRandom;
+import java.util.Base64;
+import org.eclipse.jetty.http.HttpField;
+import org.eclipse.jetty.http.HttpFields;
+import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.util.Callback;
+import org.openmetadata.service.config.web.CspHeaderFactory;
+
+public final class CspNonceHandler extends Handler.Wrapper {
+  public static final String CSP_NONCE_ATTRIBUTE = "cspNonce";
+  public static final String CSP_NONCE_PLACEHOLDER = "__CSP_NONCE__";
+  private static final int NONCE_SIZE_BYTES = 16;
+  private static final SecureRandom RANDOM = new SecureRandom();
+
+  @Override
+  public boolean handle(Request request, Response response, Callback callback) throws Exception {
+    final String nonce = generateNonce();
+    request.setAttribute(CSP_NONCE_ATTRIBUTE, nonce);
+
+    Response.Wrapper wrappedResponse =
+        new Response.Wrapper(request, response) {
+          private HttpFields.Mutable wrappedHeaders;
+
+          @Override
+          public HttpFields.Mutable getHeaders() {
+            if (wrappedHeaders == null) {
+              final HttpFields.Mutable delegate = super.getHeaders();
+              wrappedHeaders =
+                  new HttpFields.Mutable.Wrapper(delegate) {
+                    @Override
+                    public HttpFields.Mutable put(HttpField field) {
+                      if (field.getName().equals(CspHeaderFactory.CSP_HEADER)
+                          || field.getName().equals(CspHeaderFactory.CSP_REPORT_ONLY_HEADER)) {
+                        final String value = field.getValue();
+                        if (value != null && value.contains(CSP_NONCE_PLACEHOLDER)) {
+                          final String replaced = value.replace(CSP_NONCE_PLACEHOLDER, nonce);
+                          super.put(new HttpField(field.getName(), replaced));
+                          return this;
+                        }
+                      }
+                      super.put(field);
+                      return this;
+                    }
+                  };
+            }
+            return wrappedHeaders;
+          }
+        };
+
+    return super.handle(request, wrappedResponse, callback);
+  }
+
+  private static String generateNonce() {
+    final byte[] nonceBytes = new byte[NONCE_SIZE_BYTES];
+    RANDOM.nextBytes(nonceBytes);
+    return Base64.getEncoder().encodeToString(nonceBytes);
+  }
+}
@@ -31,6 +31,7 @@
 import org.jetbrains.annotations.Nullable;
 import org.openmetadata.service.config.OMWebConfiguration;
 import org.openmetadata.service.resources.system.IndexResource;
+import org.openmetadata.service.security.CspNonceHandler;
 
 @Slf4j
 public class OpenMetadataAssetServlet extends AssetServlet {
@@ -63,9 +64,9 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
     String requestUri = req.getRequestURI();
 
     if (requestUri.endsWith("/")) {
-      // Serve index.html for directory requests
+      final String cspNonce = (String) req.getAttribute(CspNonceHandler.CSP_NONCE_ATTRIBUTE);
       resp.setContentType("text/html");
-      resp.getWriter().write(IndexResource.getIndexFile(this.basePath));
+      resp.getWriter().write(IndexResource.getIndexFile(this.basePath, cspNonce));
       return;
     }
 
@@ -109,10 +110,10 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
     // For SPA routing: serve index.html for 404s that don't look like static asset requests
     if (!resp.isCommitted() && (resp.getStatus() == 404)) {
       if (isSpaRoute(requestUri)) {
-        // Serve index file for SPA routes instead of 404
+        final String cspNonce = (String) req.getAttribute(CspNonceHandler.CSP_NONCE_ATTRIBUTE);
         resp.setStatus(200);
         resp.setContentType("text/html");
-        resp.getWriter().write(IndexResource.getIndexFile(this.basePath));
+        resp.getWriter().write(IndexResource.getIndexFile(this.basePath, cspNonce));
       } else {
         resp.sendError(404);
       }