Skip to content

Bad return type for HeadersConfigurer#permissionsPolicy method with customizer #14803

New issue
New issue
Closed
Closed
Bad return type for HeadersConfigurer#permissionsPolicy method with customizer#14803
Assignees
marcusdacoregio
Labels
in: configAn issue in spring-security-configtype: enhancementA general enhancement
Milestone
 
6.4.0-M2
@florianberthe

Description

@florianberthe
florianberthe
opened on Mar 26, 2024

Describe the bug
permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) method in HeadersConfigurer class currently returns an instance of PermissionsPolicyConfig. It breaks the chaining in HeadersConfigurer.

To Reproduce
See samples below.
Current implementation:

public PermissionsPolicyConfig permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) {
    this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter();
    permissionsPolicyCustomizer.customize(this.permissionsPolicy);
    return this.permissionsPolicy;
}

Expected behavior
This method should return HeadersConfigurer<H> instance.

public HeadersConfigurer<H> permissionsPolicy(Customizer<PermissionsPolicyConfig> permissionsPolicyCustomizer) {
    this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter();
    permissionsPolicyCustomizer.customize(this.permissionsPolicy);
    return HeadersConfigurer.this;
}

Sample

This code compiles:

public static void applyConfig(HttpSecurity http) throws Exception {
        http.headers(headers -> headers
                .defaultsDisabled()
                .xssProtection(xssProtection -> xssProtection.headerValue(HeaderValue.ENABLED_MODE_BLOCK))
                .frameOptions(FrameOptionsConfig::sameOrigin)
                .contentSecurityPolicy(contentSecurityPolicy -> contentSecurityPolicy
                    .policyDirectives("default-src 'none'" +
                        "; frame-ancestors 'self'" +
                        "; style-src 'self' 'unsafe-inline'" +
                        "; form-action 'self'" +
                        "; font-src 'self'" +
                        "; object-src 'none'" +
                        "; media-src 'self'")
                )
                .referrerPolicy(referrerPolicy -> referrerPolicy.policy(ReferrerPolicy.STRICT_ORIGIN))
                .permissionsPolicy(permissionsPolicy -> permissionsPolicy.policy("camera=(self), sync-xhr=(self), geolocation=()"))
            );
    }

This code doesn't compile:

public static void applyConfig(HttpSecurity http) throws Exception {
        http.headers(headers -> headers
                .defaultsDisabled()
                .xssProtection(xssProtection -> xssProtection.headerValue(HeaderValue.ENABLED_MODE_BLOCK))
                .frameOptions(FrameOptionsConfig::sameOrigin)
                .permissionsPolicy(permissionsPolicy -> permissionsPolicy.policy("camera=(self), sync-xhr=(self), geolocation=()"))
                .contentSecurityPolicy(contentSecurityPolicy -> contentSecurityPolicy
                    .policyDirectives("default-src 'none'" +
                        "; frame-ancestors 'self'" +
                        "; style-src 'self' 'unsafe-inline'" +
                        "; form-action 'self'" +
                        "; font-src 'self'" +
                        "; object-src 'none'" +
                        "; media-src 'self'")
                )
                .referrerPolicy(referrerPolicy -> referrerPolicy.policy(ReferrerPolicy.STRICT_ORIGIN))
            );
    }

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions