feat: add CSP (Content-Security-Policy) response header wasm plugin#4111
Open
orangeCatDeveloper wants to merge 1 commit into
Open
feat: add CSP (Content-Security-Policy) response header wasm plugin#4111orangeCatDeveloper wants to merge 1 commit into
orangeCatDeveloper wants to merge 1 commit into
Conversation
This was referenced Jul 8, 2026
Signed-off-by: NekoByte <engineer.jyao@gmail.com>
fb1ec99 to
31a3524
Compare
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4111 +/- ##
=======================================
Coverage ? 50.59%
=======================================
Files ? 89
Lines ? 13436
Branches ? 0
=======================================
Hits ? 6798
Misses ? 6194
Partials ? 444
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ⅰ. Describe what this PR did
Adds a new
cspWASM plugin that injects theContent-Security-Policyresponse header to reduce XSS and other injection risks.Content-Security-Policy-Report-Only).report_only_policy: emits an extra report-only header alongside the enforced policy, enabling the standard CSP rollout (validate a stricter candidate while the current one stays enforced).overridecontrols upstream CSP headers: whentrue(default) upstream CSP is cleared before injecting; whenfalsean existing header of the same variant is kept.Ⅱ. Does this pull request fix one issue?
fixes #1706
Ⅲ. Why don't you add test cases (unit test/integration test)?
Tests are included: unit tests in
main_test.go(run in both go and wasm modes) and e2e conformance cases ingo-wasm-csp.go/go-wasm-csp.yaml(enforce, report-only, dual-policy, override on/off).Ⅳ. Describe how to verify it
cd plugins/wasm-go/extensions/csp && go test ./...make higress-wasmplugin-test PLUGIN_TYPE=GO PLUGIN_NAME=csp TEST_SHORTNAME=WasmPluginCSP(verified locally, all cases pass).Ⅴ. Special notes for reviews
VERSIONis1.0.0-alphaso the build-all step compiles the plugin for e2e. Console registration is submitted separately in higress-group/higress-console#742.Post-merge steps to make it usable from the console:
wasm-go-csp-v2.0.0, or run the Build and Push Wasm Plugin Image workflow (plugin_type=go,plugin_name=csp,version=2.0.0). Required — otherwise enabling the plugin from the console fails to pulloci://.../plugins/csp:2.0.0.plugins.propertiesalready referencescsp:2.0.0).The plugin card and config form render from the console's bundled spec (no registry needed); the registry image is only needed to actually load the plugin on the gateway.
Ⅵ. AI Coding Tool Usage Checklist (if applicable)
design/directory in the plugin folderdesign/directoryAI Coding Summary
Remove+Addinstead ofReplaceso all values of a duplicated CSP header are cleared;override:falsebacks off per-variant (same variant kept, the other still injected); rejectreport_only_policycombined withreport_only:true; defaultoverridetotrue.