Skip to content

feat: add CSP (Content-Security-Policy) response header wasm plugin#4111

Open
orangeCatDeveloper wants to merge 1 commit into
higress-group:mainfrom
orangeCatDeveloper:feat/csp-plugin
Open

feat: add CSP (Content-Security-Policy) response header wasm plugin#4111
orangeCatDeveloper wants to merge 1 commit into
higress-group:mainfrom
orangeCatDeveloper:feat/csp-plugin

Conversation

@orangeCatDeveloper

@orangeCatDeveloper orangeCatDeveloper commented Jul 8, 2026

Copy link
Copy Markdown

Ⅰ. Describe what this PR did

Adds a new csp WASM plugin that injects the Content-Security-Policy response header to reduce XSS and other injection risks.

  • Enforce mode and report-only mode (Content-Security-Policy-Report-Only).
  • Optional report_only_policy: emits an extra report-only header alongside the enforced policy, enabling the standard CSP rollout (validate a stricter candidate while the current one stays enforced).
  • override controls upstream CSP headers: when true (default) upstream CSP is cleared before injecting; when false an existing header of the same variant is kept.

Ⅱ. Does this pull request fix one issue?

fixes #1706

Ⅲ. Why don't you add test cases (unit test/integration test)?

Tests are included: unit tests in main_test.go (run in both go and wasm modes) and e2e conformance cases in go-wasm-csp.go / go-wasm-csp.yaml (enforce, report-only, dual-policy, override on/off).

Ⅳ. Describe how to verify it

  • Unit: cd plugins/wasm-go/extensions/csp && go test ./...
  • e2e: make higress-wasmplugin-test PLUGIN_TYPE=GO PLUGIN_NAME=csp TEST_SHORTNAME=WasmPluginCSP (verified locally, all cases pass).

Ⅴ. Special notes for reviews

VERSION is 1.0.0-alpha so the build-all step compiles the plugin for e2e. Console registration is submitted separately in higress-group/higress-console#742.

Post-merge steps to make it usable from the console:

  1. Publish the plugin image to the registry — push a tag wasm-go-csp-v2.0.0, or run the Build and Push Wasm Plugin Image workflow (plugin_type=go, plugin_name=csp, version=2.0.0). Required — otherwise enabling the plugin from the console fails to pull oci://.../plugins/csp:2.0.0.
  2. Merge the console PR feat: add CSP plugin to built-in plugin list higress-console#742 (its plugins.properties already references csp:2.0.0).
  3. Cut/redeploy a console build so the bundled plugin spec ships.

The plugin card and config form render from the console's bundled spec (no registry needed); the registry image is only needed to actually load the plugin on the gateway.

Ⅵ. AI Coding Tool Usage Checklist (if applicable)

  • For new standalone features (e.g., new wasm plugin or golang-filter plugin):
    • I have created a design/ directory in the plugin folder
    • I have added the design document to the design/ directory
    • I have included the AI Coding summary below

AI Coding Summary

  • Key decisions: use Remove+Add instead of Replace so all values of a duplicated CSP header are cleared; override:false backs off per-variant (same variant kept, the other still injected); reject report_only_policy combined with report_only:true; default override to true.
  • Edge cases: an empty-value upstream header follows Envoy's not-found semantics, so it is treated as absent.
  • Verification: unit tests (go + wasm) and 5 e2e conformance cases pass locally.

Signed-off-by: NekoByte <engineer.jyao@gmail.com>
@codecov-commenter

codecov-commenter commented Jul 11, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 94.73684% with 2 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@1547826). Learn more about missing BASE report.

Files with missing lines Patch % Lines
plugins/wasm-go/extensions/csp/main.go 94.73% 1 Missing and 1 partial ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #4111   +/-   ##
=======================================
  Coverage        ?   50.59%           
=======================================
  Files           ?       89           
  Lines           ?    13436           
  Branches        ?        0           
=======================================
  Hits            ?     6798           
  Misses          ?     6194           
  Partials        ?      444           
Flag Coverage Δ
wasm-go-plugin-csp 94.73% <94.73%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
plugins/wasm-go/extensions/csp/main.go 94.73% <94.73%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

implement a wasmplugin to support Content Security Policy

2 participants