Merge pull request #483 from mkurz/fix-play-java-streaming-example

play-java-streaming-example: Add csp nonce
playframework · Dec 19, 2023 · 51d3943 · 51d3943
2 parents 3dc6c39 + 368ac27
commit 51d3943
Show file tree

Hide file tree

Showing 11 changed files with 56 additions and 44 deletions.
diff --git a/play-java-streaming-example/app/controllers/HomeController.java b/play-java-streaming-example/app/controllers/HomeController.java
@@ -0,0 +1,27 @@
+package controllers;
+
+import javax.inject.Inject;
+
+import play.routing.*;
+
+import play.mvc.Controller;
+import play.mvc.Http;
+import play.mvc.Result;
+
+public class HomeController extends Controller {
+
+  public Result index(final Http.Request request) {
+    return ok(views.html.index.render(request));
+  }
+
+  public Result javascriptRoutes(final Http.Request request) {
+    return ok(
+      JavaScriptReverseRouter.create(
+        "jsRoutes",
+        "jQuery.ajax",
+        request.host(),
+        routes.javascript.JavaEventSourceController.streamClock()
+      )
+    ).as("text/javascript");
+  }
+}
diff --git a/play-java-streaming-example/app/controllers/HomeController.scala b/play-java-streaming-example/app/controllers/HomeController.scala
diff --git a/play-java-streaming-example/app/controllers/JavaCometController.java b/play-java-streaming-example/app/controllers/JavaCometController.java
@@ -4,22 +4,23 @@
 import play.mvc.Controller;
 import play.mvc.Http;
 import play.mvc.Result;
+import views.html.helper.CSPNonce;
 
 import javax.inject.Singleton;
 
 @Singleton
 public class JavaCometController extends Controller implements JavaTicker {
 
-    public Result index() {
-        return ok(views.html.javacomet.render());
+    public Result index(final Http.Request request) {
+        return ok(views.html.javacomet.render(request));
     }
 
-    public Result streamClock() {
-        return ok().chunked(getStringSource().via(Comet.string("parent.clockChanged"))).as(Http.MimeTypes.HTML);
+    public Result streamClock(final Http.Request request) {
+        return ok().chunked(getStringSource().via(Comet.string("parent.clockChanged", CSPNonce.apply(request.asScala())))).as(Http.MimeTypes.HTML);
     }
 
-    public Result jsonClock() {
-        return ok().chunked(getJsonSource().via(Comet.json("parent.clockChanged"))).as(Http.MimeTypes.HTML);
+    public Result jsonClock(final Http.Request request) {
+        return ok().chunked(getJsonSource().via(Comet.json("parent.clockChanged", CSPNonce.apply(request.asScala())))).as(Http.MimeTypes.HTML);
     }
 
 }
diff --git a/play-java-streaming-example/app/controllers/JavaEventSourceController.java b/play-java-streaming-example/app/controllers/JavaEventSourceController.java
@@ -11,8 +11,8 @@
 @Singleton
 public class JavaEventSourceController extends Controller implements JavaTicker {
 
-    public Result index() {
-        return ok(views.html.javaeventsource.render());
+    public Result index(final Http.Request request) {
+        return ok(views.html.javaeventsource.render(request));
     }
 
     public Result streamClock() {

diff --git a/play-java-streaming-example/app/views/index.scala.html b/play-java-streaming-example/app/views/index.scala.html
@@ -1,4 +1,4 @@
-@()
+@()(implicit request: JRequestHeader)
 
 @main {
 

diff --git a/play-java-streaming-example/app/views/javacomet.scala.html b/play-java-streaming-example/app/views/javacomet.scala.html
@@ -1,4 +1,4 @@
-@()
+@()(implicit request: JRequestHeader)
 
 @main {
 
@@ -10,8 +10,8 @@ <h1 id="clock"></h1>
         Clock events are pushed from the Server using a Comet connection.
     </p>
 
-    <script src="@routes.Assets.at("javascripts/comet.js")"></script>
+    <script @{CSPNonce.attr} src="@routes.Assets.at("javascripts/comet.js")"></script>
 
-    <iframe id="comet" src="@routes.JavaCometController.streamClock().unique()"></iframe>
+    <iframe id="comet" hidden src="@routes.JavaCometController.streamClock().unique()"></iframe>
 
 }
diff --git a/play-java-streaming-example/app/views/javaeventsource.scala.html b/play-java-streaming-example/app/views/javaeventsource.scala.html
@@ -1,4 +1,4 @@
-@()
+@()(implicit request: JRequestHeader)
 
 @main {
     <h1>Server Sent Event clock</h1>
@@ -9,5 +9,5 @@ <h1 id="clock"></h1>
         Clock events are pushed from the Server using a Server Sent Event connection.
     </p>
 
-    <script src="@routes.Assets.at("javascripts/eventsource.js")"></script>
+    <script @{CSPNonce.attr} src="@routes.Assets.at("javascripts/eventsource.js")"></script>
 }
diff --git a/play-java-streaming-example/app/views/main.scala.html b/play-java-streaming-example/app/views/main.scala.html
@@ -1,4 +1,4 @@
-@(content: Html)
+@(content: Html)(implicit request: play.api.mvc.RequestHeader)
 
 <!DOCTYPE html>
 
@@ -7,8 +7,8 @@
         <title>EventSource clock</title>
         <link rel="stylesheet" media="screen" href="@routes.Assets.at("stylesheets/main.css")">
         <link rel="shortcut icon" type="image/png" href="@routes.Assets.at("images/favicon.png")">
-        <script src="@routes.Assets.at("javascripts/jquery-3.2.0.slim.js")" type="text/javascript"></script>
-        <script type="text/javascript" src="@routes.HomeController.javascriptRoutes"></script>
+        <script @{CSPNonce.attr} src="@routes.Assets.at("javascripts/jquery-3.2.0.slim.js")" type="text/javascript"></script>
+        <script @{CSPNonce.attr} type="text/javascript" src="@routes.HomeController.javascriptRoutes()"></script>
     </head>
     <body>
         @content

diff --git a/play-java-streaming-example/build.sbt b/play-java-streaming-example/build.sbt
@@ -16,3 +16,8 @@ javacOptions ++= Seq(
   "-Xlint:deprecation",
   "-Werror"
 )
+
+TwirlKeys.templateImports ++= Seq(
+  "play.mvc.Http.{ RequestHeader => JRequestHeader }",
+  "views.html.helper.CSPNonce"
+)
diff --git a/play-java-streaming-example/conf/routes b/play-java-streaming-example/conf/routes
@@ -4,15 +4,15 @@
 
 # Home page
 
-GET        /                                  controllers.HomeController.index()
+GET        /                                  controllers.HomeController.index(request: Request)
 
-GET        /java/comet                         controllers.JavaCometController.index()
-GET        /java/comet/liveClock               controllers.JavaCometController.streamClock()
+GET        /java/comet                         controllers.JavaCometController.index(request: Request)
+GET        /java/comet/liveClock               controllers.JavaCometController.streamClock(request: Request)
 
-GET        /java/eventSource                   controllers.JavaEventSourceController.index()
+GET        /java/eventSource                   controllers.JavaEventSourceController.index(request: Request)
 GET        /java/eventSource/liveClock         controllers.JavaEventSourceController.streamClock()
 
-GET        /javascriptRoutes                  controllers.HomeController.javascriptRoutes
+GET        /javascriptRoutes                  controllers.HomeController.javascriptRoutes(request: Request)
 
 # Map static resources from the /public folder to the /assets URL path
 GET        /assets/*file                      controllers.Assets.at(path="/public", file)
diff --git a/play-java-streaming-example/public/javascripts/eventsource.js b/play-java-streaming-example/public/javascripts/eventsource.js
@@ -4,5 +4,5 @@ if (!!window.EventSource) {
         $('#clock').html(e.data.replace(/(\d)/g, '<span>$1</span>'))
     });
 } else {
-    $("#clock").html("Sorry. This browser doesn't seem to support Server sent event. Check <a href='http://html5test.com/compare/feature/communication-eventSource.html'>html5test</a> for browser compatibility.");
+    $("#clock").html("Sorry. This browser doesn't seem to support Server sent event. Check <a href='https://html5test.com/compare/feature/communication.eventSource.html'>html5test</a> for browser compatibility.");
 }
-Original file line number
+Diff line change
@@ -1,4 +1,4 @@
-    @()
+    @()(implicit request: JRequestHeader)
     @main {
@@ Expand Down @@