feat(frontend): enable cross-origin isolation

author: Kristóf Marussy <kristof@marussy.com> 2022-10-02 15:45:49 +0200
committer: Kristóf Marussy <kristof@marussy.com> 2022-10-03 20:06:53 +0200
commit: 70ac4438b05136c54017d98a883bf6bf0f938d47 (patch)
tree: 2418f8670bf8ff2d7e6f6be2768c112e56de2a79 /subprojects/language-web/src/main/java
parent: feat(frontend): animate GenerateButton (diff)
download: refinery-70ac4438b05136c54017d98a883bf6bf0f938d47.tar.gz
refinery-70ac4438b05136c54017d98a883bf6bf0f938d47.tar.zst
refinery-70ac4438b05136c54017d98a883bf6bf0f938d47.zip
4 files changed, 78 insertions, 64 deletions
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java
index 8ac8a21e..fbce62c1 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java
@@ -1,21 +1,15 @@
 package tools.refinery.language.web;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.eclipse.jetty.http.HttpHeader;
 import java.io.IOException;
 import java.time.Duration;
 import java.util.Set;
 import java.util.regex.Pattern;
-import org.eclipse.jetty.http.HttpHeader;
-import jakarta.servlet.Filter;
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.FilterConfig;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.ServletRequest;
-import jakarta.servlet.ServletResponse;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 public class CacheControlFilter implements Filter {
        private static final Pattern CACHE_URI_PATTERN = Pattern.compile(".*\\.(css|gif|js|map|png|svg|woff2?)");
@@ -29,11 +23,6 @@ public class CacheControlFilter implements Filter {
        private static final String CACHE_CONTROL_NO_CACHE_VALUE = "no-cache, no-store, max-age: 0, must-revalidate";
        @Override
-        public void init(FilterConfig filterConfig) throws ServletException {
-                // Nothing to initialize.
-        }
-        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                        throws IOException, ServletException {
                if (request instanceof HttpServletRequest httpRequest && response instanceof HttpServletResponse httpResponse) {
@@ -49,9 +38,4 @@ public class CacheControlFilter implements Filter {
                }
                chain.doFilter(request, response);
        }
-        @Override
-        public void destroy() {
-                // Nothing to dispose.
-        }
 }
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
new file mode 100644
index 00000000..40dd7ee5
--- /dev/null
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -0,0 +1,32 @@
+package tools.refinery.language.web;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+public class SecurityHeadersFilter implements Filter {
+        @Override
+        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+                        ServletException {
+                if (response instanceof HttpServletResponse httpResponse) {
+                        httpResponse.setHeader("Content-Security-Policy", "default-src 'self'; " +
+                                        // CodeMirror needs inline styles, see e.g.,
+                                        // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
+                                        "style-src 'self' 'unsafe-inline'; " +
+                                        // Use 'data:' for displaying inline SVG backgrounds.
+                                        "img-src 'self' data:; " +
+                                        "object-src 'none'; " +
+                                        "base-uri 'none';");
+                        httpResponse.setHeader("X-Content-Type-Options", "nosniff");
+                        httpResponse.setHeader("X-Frame-Options", "DENY");
+                        httpResponse.setHeader("Referrer-Policy", "strict-origin");
+                        // Enable cross-origin isolation, https://web.dev/cross-origin-isolation-guide/
+                        httpResponse.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+                        httpResponse.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
+                        // We do not expose any sensitive data over HTTP, so <code>cross-origin</code> is safe here.
+                        httpResponse.setHeader("Cross-Origin-Resource-Policy", "cross-origin");
+                }
+                chain.doFilter(request, response);
+        }
+}
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java
index ffd903d0..ffa61321 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java
@@ -3,15 +3,8 @@
 */
 package tools.refinery.language.web;
-import java.io.File;
+import jakarta.servlet.DispatcherType;
-import java.io.IOException;
+import jakarta.servlet.SessionTrackingMode;
-import java.net.InetSocketAddress;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.EnumSet;
-import java.util.Optional;
-import java.util.Set;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.session.SessionHandler;
 import org.eclipse.jetty.servlet.DefaultServlet;
@@ -21,11 +14,16 @@ import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.websocket.server.config.JettyWebSocketServletContainerInitializer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import jakarta.servlet.DispatcherType;
-import jakarta.servlet.SessionTrackingMode;
 import tools.refinery.language.web.xtext.servlet.XtextWebSocketServlet;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.EnumSet;
+import java.util.Set;
 public class ServerLauncher {
        public static final String DEFAULT_LISTEN_ADDRESS = "localhost";
@@ -36,24 +34,25 @@ public class ServerLauncher {
        public static final int HTTP_DEFAULT_PORT = 80;
        public static final int HTTPS_DEFAULT_PORT = 443;
-        
-        public static final String ALLOWED_ORIGINS_SEPARATOR = ";";
+        public static final String ALLOWED_ORIGINS_SEPARATOR = ",";
        private static final Logger LOG = LoggerFactory.getLogger(ServerLauncher.class);
        private final Server server;
-        public ServerLauncher(InetSocketAddress bindAddress, Resource baseResource, Optional<String[]> allowedOrigins) {
+        public ServerLauncher(InetSocketAddress bindAddress, Resource baseResource, String[] allowedOrigins) {
                server = new Server(bindAddress);
                var handler = new ServletContextHandler();
                addSessionHandler(handler);
                addProblemServlet(handler, allowedOrigins);
                if (baseResource != null) {
                        handler.setBaseResource(baseResource);
-                        handler.setWelcomeFiles(new String[] { "index.html" });
+                        handler.setWelcomeFiles(new String[]{"index.html"});
                        addDefaultServlet(handler);
                }
                handler.addFilter(CacheControlFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
+                handler.addFilter(SecurityHeadersFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
                server.setHandler(handler);
        }
@@ -63,13 +62,13 @@ public class ServerLauncher {
                handler.setSessionHandler(sessionHandler);
        }
-        private void addProblemServlet(ServletContextHandler handler, Optional<String[]> allowedOrigins) {
+        private void addProblemServlet(ServletContextHandler handler, String[] allowedOrigins) {
                var problemServletHolder = new ServletHolder(ProblemWebSocketServlet.class);
-                if (allowedOrigins.isEmpty()) {
+                if (allowedOrigins == null) {
                        LOG.warn("All WebSocket origins are allowed! This setting should not be used in production!");
                } else {
                        var allowedOriginsString = String.join(XtextWebSocketServlet.ALLOWED_ORIGINS_SEPARATOR,
-                                        allowedOrigins.get());
+                                        allowedOrigins);
                        problemServletHolder.setInitParameter(XtextWebSocketServlet.ALLOWED_ORIGINS_INIT_PARAM,
                                        allowedOriginsString);
                }
@@ -141,8 +140,8 @@ public class ServerLauncher {
                        return Resource.newResource(webRootUri);
                }
                // Look for unpacked production artifacts (convenience for running from IDE).
-                var unpackedResourcePathComponents = new String[] { System.getProperty("user.dir"), "build", "webpack",
+                var unpackedResourcePathComponents = new String[]{System.getProperty("user.dir"), "build", "webpack",
-                                "production" };
+                                "production"};
                var unpackedResourceDir = new File(String.join(File.separator, unpackedResourcePathComponents));
                if (unpackedResourceDir.isDirectory()) {
                        return Resource.newResource(unpackedResourceDir);
@@ -164,29 +163,31 @@ public class ServerLauncher {
                if (portStr != null) {
                        return Integer.parseInt(portStr);
                }
-                return DEFAULT_LISTEN_PORT;
+                return DEFAULT_PUBLIC_PORT;
        }
-        private static Optional<String[]> getAllowedOrigins() {
+        private static String[] getAllowedOrigins() {
                var allowedOrigins = System.getenv("ALLOWED_ORIGINS");
                if (allowedOrigins != null) {
-                        return Optional.of(allowedOrigins.split(ALLOWED_ORIGINS_SEPARATOR));
+                        return allowedOrigins.split(ALLOWED_ORIGINS_SEPARATOR);
                }
                return getAllowedOriginsFromPublicHostAndPort();
        }
-        private static Optional<String[]> getAllowedOriginsFromPublicHostAndPort() {
+        // This method returns <code>null</code> to indicate that all origins are allowed.
+        @SuppressWarnings("squid:S1168")
+        private static String[] getAllowedOriginsFromPublicHostAndPort() {
                var publicHost = getPublicHost();
                if (publicHost == null) {
-                        return Optional.empty();
+                        return null;
                }
                int publicPort = getPublicPort();
                var scheme = publicPort == HTTPS_DEFAULT_PORT ? "https" : "http";
                var urlWithPort = String.format("%s://%s:%d", scheme, publicHost, publicPort);
                if (publicPort == HTTPS_DEFAULT_PORT || publicPort == HTTP_DEFAULT_PORT) {
                        var urlWithoutPort = String.format("%s://%s", scheme, publicHost);
-                        return Optional.of(new String[] { urlWithPort, urlWithoutPort });
+                        return new String[]{urlWithPort, urlWithoutPort};
                }
-                return Optional.of(new String[] { urlWithPort });
+                return new String[]{urlWithPort};
        }
 }
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java
index 942ca380..a2ad2943 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java
@@ -1,28 +1,25 @@
 package tools.refinery.language.web.xtext.servlet;
-import java.io.IOException;
+import jakarta.servlet.ServletConfig;
-import java.time.Duration;
+import jakarta.servlet.ServletException;
-import java.util.Set;
+import org.eclipse.jetty.websocket.server.*;
-import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
-import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
-import org.eclipse.jetty.websocket.server.JettyWebSocketCreator;
-import org.eclipse.jetty.websocket.server.JettyWebSocketServlet;
-import org.eclipse.jetty.websocket.server.JettyWebSocketServletFactory;
 import org.eclipse.xtext.resource.IResourceServiceProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import jakarta.servlet.ServletConfig;
+import java.io.IOException;
-import jakarta.servlet.ServletException;
+import java.io.Serial;
+import java.time.Duration;
+import java.util.Set;
 public abstract class XtextWebSocketServlet extends JettyWebSocketServlet implements JettyWebSocketCreator {
+        @Serial
        private static final long serialVersionUID = -3772740838165122685L;
-        public static final String ALLOWED_ORIGINS_SEPARATOR = ";";
+        public static final String ALLOWED_ORIGINS_SEPARATOR = ",";
-        public static final String ALLOWED_ORIGINS_INIT_PARAM = "tools.refinery.language.web.xtext.XtextWebSocketServlet.allowedOrigin";
+        public static final String ALLOWED_ORIGINS_INIT_PARAM =
+                        "tools.refinery.language.web.xtext.XtextWebSocketServlet.allowedOrigin";
        public static final String XTEXT_SUBPROTOCOL_V1 = "tools.refinery.language.web.xtext.v1";
@@ -33,7 +30,7 @@ public abstract class XtextWebSocketServlet extends JettyWebSocketServlet implem
        private static final Duration IDLE_TIMEOUT = Duration.ofSeconds(30);
-        private transient Logger log = LoggerFactory.getLogger(getClass());
+        private final transient Logger log = LoggerFactory.getLogger(getClass());
        private transient Set<String> allowedOrigins = null;
author	Kristóf Marussy <kristof@marussy.com>	2022-10-02 15:45:49 +0200
committer	Kristóf Marussy <kristof@marussy.com>	2022-10-03 20:06:53 +0200
commit	70ac4438b05136c54017d98a883bf6bf0f938d47 (patch)
tree	2418f8670bf8ff2d7e6f6be2768c112e56de2a79 /subprojects/language-web/src/main/java
parent	feat(frontend): animate GenerateButton (diff)
download	refinery-70ac4438b05136c54017d98a883bf6bf0f938d47.tar.gz refinery-70ac4438b05136c54017d98a883bf6bf0f938d47.tar.zst refinery-70ac4438b05136c54017d98a883bf6bf0f938d47.zip

diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java index 8ac8a21e..fbce62c1 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/CacheControlFilter.java
@@ -1,21 +1,15 @@
1	package tools.refinery.language.web;	1	package tools.refinery.language.web;
2		2
		3	import jakarta.servlet.*;
		4	import jakarta.servlet.http.HttpServletRequest;
		5	import jakarta.servlet.http.HttpServletResponse;
		6	import org.eclipse.jetty.http.HttpHeader;
		7
3	import java.io.IOException;	8	import java.io.IOException;
4	import java.time.Duration;	9	import java.time.Duration;
5	import java.util.Set;	10	import java.util.Set;
6	import java.util.regex.Pattern;	11	import java.util.regex.Pattern;
7		12
8	import org.eclipse.jetty.http.HttpHeader;
9
10	import jakarta.servlet.Filter;
11	import jakarta.servlet.FilterChain;
12	import jakarta.servlet.FilterConfig;
13	import jakarta.servlet.ServletException;
14	import jakarta.servlet.ServletRequest;
15	import jakarta.servlet.ServletResponse;
16	import jakarta.servlet.http.HttpServletRequest;
17	import jakarta.servlet.http.HttpServletResponse;
18
19	public class CacheControlFilter implements Filter {	13	public class CacheControlFilter implements Filter {
20	private static final Pattern CACHE_URI_PATTERN = Pattern.compile(".*\\.(css\|gif\|js\|map\|png\|svg\|woff2?)");	14	private static final Pattern CACHE_URI_PATTERN = Pattern.compile(".*\\.(css\|gif\|js\|map\|png\|svg\|woff2?)");
21		15
@@ -29,11 +23,6 @@ public class CacheControlFilter implements Filter {
29	private static final String CACHE_CONTROL_NO_CACHE_VALUE = "no-cache, no-store, max-age: 0, must-revalidate";	23	private static final String CACHE_CONTROL_NO_CACHE_VALUE = "no-cache, no-store, max-age: 0, must-revalidate";
30		24
31	@Override	25	@Override
32	public void init(FilterConfig filterConfig) throws ServletException {
33	// Nothing to initialize.
34	}
35
36	@Override
37	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)	26	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
38	throws IOException, ServletException {	27	throws IOException, ServletException {
39	if (request instanceof HttpServletRequest httpRequest && response instanceof HttpServletResponse httpResponse) {	28	if (request instanceof HttpServletRequest httpRequest && response instanceof HttpServletResponse httpResponse) {
@@ -49,9 +38,4 @@ public class CacheControlFilter implements Filter {
49	}	38	}
50	chain.doFilter(request, response);	39	chain.doFilter(request, response);
51	}	40	}
52
53	@Override
54	public void destroy() {
55	// Nothing to dispose.
56	}
57	}	41	}


diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java new file mode 100644 index 00000000..40dd7ee5 --- /dev/null +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -0,0 +1,32 @@
		1	package tools.refinery.language.web;
		2
		3	import jakarta.servlet.*;
		4	import jakarta.servlet.http.HttpServletResponse;
		5
		6	import java.io.IOException;
		7
		8	public class SecurityHeadersFilter implements Filter {
		9	@Override
		10	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
		11	ServletException {
		12	if (response instanceof HttpServletResponse httpResponse) {
		13	httpResponse.setHeader("Content-Security-Policy", "default-src 'self'; " +
		14	// CodeMirror needs inline styles, see e.g.,
		15	// https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
		16	"style-src 'self' 'unsafe-inline'; " +
		17	// Use 'data:' for displaying inline SVG backgrounds.
		18	"img-src 'self' data:; " +
		19	"object-src 'none'; " +
		20	"base-uri 'none';");
		21	httpResponse.setHeader("X-Content-Type-Options", "nosniff");
		22	httpResponse.setHeader("X-Frame-Options", "DENY");
		23	httpResponse.setHeader("Referrer-Policy", "strict-origin");
		24	// Enable cross-origin isolation, https://web.dev/cross-origin-isolation-guide/
		25	httpResponse.setHeader("Cross-Origin-Opener-Policy", "same-origin");
		26	httpResponse.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
		27	// We do not expose any sensitive data over HTTP, so <code>cross-origin</code> is safe here.
		28	httpResponse.setHeader("Cross-Origin-Resource-Policy", "cross-origin");
		29	}
		30	chain.doFilter(request, response);
		31	}
		32	}


diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java index ffd903d0..ffa61321 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/ServerLauncher.java
@@ -3,15 +3,8 @@
3	*/	3	*/
4	package tools.refinery.language.web;	4	package tools.refinery.language.web;
5		5
6	import java.io.File;	6	import jakarta.servlet.DispatcherType;
7	import java.io.IOException;	7	import jakarta.servlet.SessionTrackingMode;
8	import java.net.InetSocketAddress;
9	import java.net.URI;
10	import java.net.URISyntaxException;
11	import java.util.EnumSet;
12	import java.util.Optional;
13	import java.util.Set;
14
15	import org.eclipse.jetty.server.Server;	8	import org.eclipse.jetty.server.Server;
16	import org.eclipse.jetty.server.session.SessionHandler;	9	import org.eclipse.jetty.server.session.SessionHandler;
17	import org.eclipse.jetty.servlet.DefaultServlet;	10	import org.eclipse.jetty.servlet.DefaultServlet;
@@ -21,11 +14,16 @@ import org.eclipse.jetty.util.resource.Resource;
21	import org.eclipse.jetty.websocket.server.config.JettyWebSocketServletContainerInitializer;	14	import org.eclipse.jetty.websocket.server.config.JettyWebSocketServletContainerInitializer;
22	import org.slf4j.Logger;	15	import org.slf4j.Logger;
23	import org.slf4j.LoggerFactory;	16	import org.slf4j.LoggerFactory;
24
25	import jakarta.servlet.DispatcherType;
26	import jakarta.servlet.SessionTrackingMode;
27	import tools.refinery.language.web.xtext.servlet.XtextWebSocketServlet;	17	import tools.refinery.language.web.xtext.servlet.XtextWebSocketServlet;
28		18
		19	import java.io.File;
		20	import java.io.IOException;
		21	import java.net.InetSocketAddress;
		22	import java.net.URI;
		23	import java.net.URISyntaxException;
		24	import java.util.EnumSet;
		25	import java.util.Set;
		26
29	public class ServerLauncher {	27	public class ServerLauncher {
30	public static final String DEFAULT_LISTEN_ADDRESS = "localhost";	28	public static final String DEFAULT_LISTEN_ADDRESS = "localhost";
31		29
@@ -36,24 +34,25 @@ public class ServerLauncher {
36	public static final int HTTP_DEFAULT_PORT = 80;	34	public static final int HTTP_DEFAULT_PORT = 80;
37		35
38	public static final int HTTPS_DEFAULT_PORT = 443;	36	public static final int HTTPS_DEFAULT_PORT = 443;
39		37
40	public static final String ALLOWED_ORIGINS_SEPARATOR = ";";	38	public static final String ALLOWED_ORIGINS_SEPARATOR = ",";
41		39
42	private static final Logger LOG = LoggerFactory.getLogger(ServerLauncher.class);	40	private static final Logger LOG = LoggerFactory.getLogger(ServerLauncher.class);
43		41
44	private final Server server;	42	private final Server server;
45		43
46	public ServerLauncher(InetSocketAddress bindAddress, Resource baseResource, Optional<String[]> allowedOrigins) {	44	public ServerLauncher(InetSocketAddress bindAddress, Resource baseResource, String[] allowedOrigins) {
47	server = new Server(bindAddress);	45	server = new Server(bindAddress);
48	var handler = new ServletContextHandler();	46	var handler = new ServletContextHandler();
49	addSessionHandler(handler);	47	addSessionHandler(handler);
50	addProblemServlet(handler, allowedOrigins);	48	addProblemServlet(handler, allowedOrigins);
51	if (baseResource != null) {	49	if (baseResource != null) {
52	handler.setBaseResource(baseResource);	50	handler.setBaseResource(baseResource);
53	handler.setWelcomeFiles(new String[] { "index.html" });	51	handler.setWelcomeFiles(new String[]{"index.html"});
54	addDefaultServlet(handler);	52	addDefaultServlet(handler);
55	}	53	}
56	handler.addFilter(CacheControlFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));	54	handler.addFilter(CacheControlFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
		55	handler.addFilter(SecurityHeadersFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
57	server.setHandler(handler);	56	server.setHandler(handler);
58	}	57	}
59		58
@@ -63,13 +62,13 @@ public class ServerLauncher {
63	handler.setSessionHandler(sessionHandler);	62	handler.setSessionHandler(sessionHandler);
64	}	63	}
65		64
66	private void addProblemServlet(ServletContextHandler handler, Optional<String[]> allowedOrigins) {	65	private void addProblemServlet(ServletContextHandler handler, String[] allowedOrigins) {
67	var problemServletHolder = new ServletHolder(ProblemWebSocketServlet.class);	66	var problemServletHolder = new ServletHolder(ProblemWebSocketServlet.class);
68	if (allowedOrigins.isEmpty()) {	67	if (allowedOrigins == null) {
69	LOG.warn("All WebSocket origins are allowed! This setting should not be used in production!");	68	LOG.warn("All WebSocket origins are allowed! This setting should not be used in production!");
70	} else {	69	} else {
71	var allowedOriginsString = String.join(XtextWebSocketServlet.ALLOWED_ORIGINS_SEPARATOR,	70	var allowedOriginsString = String.join(XtextWebSocketServlet.ALLOWED_ORIGINS_SEPARATOR,
72	allowedOrigins.get());	71	allowedOrigins);
73	problemServletHolder.setInitParameter(XtextWebSocketServlet.ALLOWED_ORIGINS_INIT_PARAM,	72	problemServletHolder.setInitParameter(XtextWebSocketServlet.ALLOWED_ORIGINS_INIT_PARAM,
74	allowedOriginsString);	73	allowedOriginsString);
75	}	74	}
@@ -141,8 +140,8 @@ public class ServerLauncher {
141	return Resource.newResource(webRootUri);	140	return Resource.newResource(webRootUri);
142	}	141	}
143	// Look for unpacked production artifacts (convenience for running from IDE).	142	// Look for unpacked production artifacts (convenience for running from IDE).
144	var unpackedResourcePathComponents = new String[] { System.getProperty("user.dir"), "build", "webpack",	143	var unpackedResourcePathComponents = new String[]{System.getProperty("user.dir"), "build", "webpack",
145	"production" };	144	"production"};
146	var unpackedResourceDir = new File(String.join(File.separator, unpackedResourcePathComponents));	145	var unpackedResourceDir = new File(String.join(File.separator, unpackedResourcePathComponents));
147	if (unpackedResourceDir.isDirectory()) {	146	if (unpackedResourceDir.isDirectory()) {
148	return Resource.newResource(unpackedResourceDir);	147	return Resource.newResource(unpackedResourceDir);
@@ -164,29 +163,31 @@ public class ServerLauncher {
164	if (portStr != null) {	163	if (portStr != null) {
165	return Integer.parseInt(portStr);	164	return Integer.parseInt(portStr);
166	}	165	}
167	return DEFAULT_LISTEN_PORT;	166	return DEFAULT_PUBLIC_PORT;
168	}	167	}
169		168
170	private static Optional<String[]> getAllowedOrigins() {	169	private static String[] getAllowedOrigins() {
171	var allowedOrigins = System.getenv("ALLOWED_ORIGINS");	170	var allowedOrigins = System.getenv("ALLOWED_ORIGINS");
172	if (allowedOrigins != null) {	171	if (allowedOrigins != null) {
173	return Optional.of(allowedOrigins.split(ALLOWED_ORIGINS_SEPARATOR));	172	return allowedOrigins.split(ALLOWED_ORIGINS_SEPARATOR);
174	}	173	}
175	return getAllowedOriginsFromPublicHostAndPort();	174	return getAllowedOriginsFromPublicHostAndPort();
176	}	175	}
177		176
178	private static Optional<String[]> getAllowedOriginsFromPublicHostAndPort() {	177	// This method returns <code>null</code> to indicate that all origins are allowed.
		178	@SuppressWarnings("squid:S1168")
		179	private static String[] getAllowedOriginsFromPublicHostAndPort() {
179	var publicHost = getPublicHost();	180	var publicHost = getPublicHost();
180	if (publicHost == null) {	181	if (publicHost == null) {
181	return Optional.empty();	182	return null;
182	}	183	}
183	int publicPort = getPublicPort();	184	int publicPort = getPublicPort();
184	var scheme = publicPort == HTTPS_DEFAULT_PORT ? "https" : "http";	185	var scheme = publicPort == HTTPS_DEFAULT_PORT ? "https" : "http";
185	var urlWithPort = String.format("%s://%s:%d", scheme, publicHost, publicPort);	186	var urlWithPort = String.format("%s://%s:%d", scheme, publicHost, publicPort);
186	if (publicPort == HTTPS_DEFAULT_PORT \|\| publicPort == HTTP_DEFAULT_PORT) {	187	if (publicPort == HTTPS_DEFAULT_PORT \|\| publicPort == HTTP_DEFAULT_PORT) {
187	var urlWithoutPort = String.format("%s://%s", scheme, publicHost);	188	var urlWithoutPort = String.format("%s://%s", scheme, publicHost);
188	return Optional.of(new String[] { urlWithPort, urlWithoutPort });	189	return new String[]{urlWithPort, urlWithoutPort};
189	}	190	}
190	return Optional.of(new String[] { urlWithPort });	191	return new String[]{urlWithPort};
191	}	192	}
192	}	193	}


diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java index 942ca380..a2ad2943 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/xtext/servlet/XtextWebSocketServlet.java
@@ -1,28 +1,25 @@
1	package tools.refinery.language.web.xtext.servlet;	1	package tools.refinery.language.web.xtext.servlet;
2		2
3	import java.io.IOException;	3	import jakarta.servlet.ServletConfig;
4	import java.time.Duration;	4	import jakarta.servlet.ServletException;
5	import java.util.Set;	5	import org.eclipse.jetty.websocket.server.*;
6
7	import org.eclipse.jetty.websocket.server.JettyServerUpgradeRequest;
8	import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse;
9	import org.eclipse.jetty.websocket.server.JettyWebSocketCreator;
10	import org.eclipse.jetty.websocket.server.JettyWebSocketServlet;
11	import org.eclipse.jetty.websocket.server.JettyWebSocketServletFactory;
12	import org.eclipse.xtext.resource.IResourceServiceProvider;	6	import org.eclipse.xtext.resource.IResourceServiceProvider;
13	import org.slf4j.Logger;	7	import org.slf4j.Logger;
14	import org.slf4j.LoggerFactory;	8	import org.slf4j.LoggerFactory;
15		9
16	import jakarta.servlet.ServletConfig;	10	import java.io.IOException;
17	import jakarta.servlet.ServletException;	11	import java.io.Serial;
		12	import java.time.Duration;
		13	import java.util.Set;
18		14
19	public abstract class XtextWebSocketServlet extends JettyWebSocketServlet implements JettyWebSocketCreator {	15	public abstract class XtextWebSocketServlet extends JettyWebSocketServlet implements JettyWebSocketCreator {
20		16	@Serial
21	private static final long serialVersionUID = -3772740838165122685L;	17	private static final long serialVersionUID = -3772740838165122685L;
22		18
23	public static final String ALLOWED_ORIGINS_SEPARATOR = ";";	19	public static final String ALLOWED_ORIGINS_SEPARATOR = ",";
24		20
25	public static final String ALLOWED_ORIGINS_INIT_PARAM = "tools.refinery.language.web.xtext.XtextWebSocketServlet.allowedOrigin";	21	public static final String ALLOWED_ORIGINS_INIT_PARAM =
		22	"tools.refinery.language.web.xtext.XtextWebSocketServlet.allowedOrigin";
26		23
27	public static final String XTEXT_SUBPROTOCOL_V1 = "tools.refinery.language.web.xtext.v1";	24	public static final String XTEXT_SUBPROTOCOL_V1 = "tools.refinery.language.web.xtext.v1";
28		25
@@ -33,7 +30,7 @@ public abstract class XtextWebSocketServlet extends JettyWebSocketServlet implem
33		30
34	private static final Duration IDLE_TIMEOUT = Duration.ofSeconds(30);	31	private static final Duration IDLE_TIMEOUT = Duration.ofSeconds(30);
35		32
36	private transient Logger log = LoggerFactory.getLogger(getClass());	33	private final transient Logger log = LoggerFactory.getLogger(getClass());
37		34
38	private transient Set<String> allowedOrigins = null;	35	private transient Set<String> allowedOrigins = null;
39		36