Merge pull request #483 from mkurz/fix-play-java-streaming-example

mkurz · web-flow · commit 51d394341e9a · 2023-12-19T15:25:38.000+01:00
play-java-streaming-example: Add csp nonce
diff --git a/play-java-streaming-example/app/controllers/HomeController.java b/play-java-streaming-example/app/controllers/HomeController.java
@@ -0,0 +1,27 @@
+package controllers;
+
+import javax.inject.Inject;
+
+import play.routing.*;
+
+import play.mvc.Controller;
+import play.mvc.Http;
+import play.mvc.Result;
+
+public class HomeController extends Controller {
+
+  public Result index(final Http.Request request) {
+    return ok(views.html.index.render(request));
+  }
+
+  public Result javascriptRoutes(final Http.Request request) {
+    return ok(
+      JavaScriptReverseRouter.create(
+        "jsRoutes",
+        "jQuery.ajax",
+        request.host(),
+        routes.javascript.JavaEventSourceController.streamClock()
+      )
+    ).as("text/javascript");
+  }
+}
diff --git a/play-java-streaming-example/app/controllers/HomeController.scala b/play-java-streaming-example/app/controllers/HomeController.scala
diff --git a/play-java-streaming-example/app/controllers/JavaCometController.java b/play-java-streaming-example/app/controllers/JavaCometController.java
@@ -4,22 +4,23 @@
 import play.mvc.Controller;
 import play.mvc.Http;
 import play.mvc.Result;
+import views.html.helper.CSPNonce;
 
 import javax.inject.Singleton;
 
 @Singleton
 public class JavaCometController extends Controller implements JavaTicker {
 
-    public Result index() {
-        return ok(views.html.javacomet.render());
+    public Result index(final Http.Request request) {
+        return ok(views.html.javacomet.render(request));
     }
 
-    public Result streamClock() {
-        return ok().chunked(getStringSource().via(Comet.string("parent.clockChanged"))).as(Http.MimeTypes.HTML);
+    public Result streamClock(final Http.Request request) {
+        return ok().chunked(getStringSource().via(Comet.string("parent.clockChanged", CSPNonce.apply(request.asScala())))).as(Http.MimeTypes.HTML);
     }
 
-    public Result jsonClock() {
-        return ok().chunked(getJsonSource().via(Comet.json("parent.clockChanged"))).as(Http.MimeTypes.HTML);
+    public Result jsonClock(final Http.Request request) {
+        return ok().chunked(getJsonSource().via(Comet.json("parent.clockChanged", CSPNonce.apply(request.asScala())))).as(Http.MimeTypes.HTML);
     }
 
 }
diff --git a/play-java-streaming-example/app/controllers/JavaEventSourceController.java b/play-java-streaming-example/app/controllers/JavaEventSourceController.java
@@ -11,8 +11,8 @@
 @Singleton
 public class JavaEventSourceController extends Controller implements JavaTicker {
 
-    public Result index() {
-        return ok(views.html.javaeventsource.render());
+    public Result index(final Http.Request request) {
+        return ok(views.html.javaeventsource.render(request));
     }
 
     public Result streamClock() {
diff --git a/play-java-streaming-example/app/views/index.scala.html b/play-java-streaming-example/app/views/index.scala.html
@@ -1,4 +1,4 @@
-@()
+@()(implicit request: JRequestHeader)
 
 @main {
 
diff --git a/play-java-streaming-example/app/views/javacomet.scala.html b/play-java-streaming-example/app/views/javacomet.scala.html
@@ -1,4 +1,4 @@
-@()
+@()(implicit request: JRequestHeader)
 
 @main {
 
@@ -10,8 +10,8 @@ <h1 id="clock"></h1>
         Clock events are pushed from the Server using a Comet connection.
     </p>
 
-    <script src="@routes.Assets.at("javascripts/comet.js")"></script>
+    <script @{CSPNonce.attr} src="@routes.Assets.at("javascripts/comet.js")"></script>
 
-    <iframe id="comet" src="@routes.JavaCometController.streamClock().unique()"></iframe>
+    <iframe id="comet" hidden src="@routes.JavaCometController.streamClock().unique()"></iframe>
 
 }
diff --git a/play-java-streaming-example/app/views/javaeventsource.scala.html b/play-java-streaming-example/app/views/javaeventsource.scala.html
@@ -1,4 +1,4 @@
-@()
+@()(implicit request: JRequestHeader)
 
 @main {
     <h1>Server Sent Event clock</h1>
@@ -9,5 +9,5 @@ <h1 id="clock"></h1>
         Clock events are pushed from the Server using a Server Sent Event connection.
     </p>
 
-    <script src="@routes.Assets.at("javascripts/eventsource.js")"></script>
+    <script @{CSPNonce.attr} src="@routes.Assets.at("javascripts/eventsource.js")"></script>
 }
diff --git a/play-java-streaming-example/app/views/main.scala.html b/play-java-streaming-example/app/views/main.scala.html
@@ -1,4 +1,4 @@
-@(content: Html)
+@(content: Html)(implicit request: play.api.mvc.RequestHeader)
 
 <!DOCTYPE html>
 
@@ -7,8 +7,8 @@
         <title>EventSource clock</title>
         <link rel="stylesheet" media="screen" href="@routes.Assets.at("stylesheets/main.css")">
         <link rel="shortcut icon" type="image/png" href="@routes.Assets.at("images/favicon.png")">
-        <script src="@routes.Assets.at("javascripts/jquery-3.2.0.slim.js")" type="text/javascript"></script>
-        <script type="text/javascript" src="@routes.HomeController.javascriptRoutes"></script>
+        <script @{CSPNonce.attr} src="@routes.Assets.at("javascripts/jquery-3.2.0.slim.js")" type="text/javascript"></script>
+        <script @{CSPNonce.attr} type="text/javascript" src="@routes.HomeController.javascriptRoutes()"></script>
     </head>
     <body>
         @content
diff --git a/play-java-streaming-example/build.sbt b/play-java-streaming-example/build.sbt
@@ -16,3 +16,8 @@ javacOptions ++= Seq(
   "-Xlint:deprecation",
   "-Werror"
 )
+
+TwirlKeys.templateImports ++= Seq(
+  "play.mvc.Http.{ RequestHeader => JRequestHeader }",
+  "views.html.helper.CSPNonce"
+)
diff --git a/play-java-streaming-example/conf/routes b/play-java-streaming-example/conf/routes
@@ -4,15 +4,15 @@
 
 # Home page
 
-GET        /                                  controllers.HomeController.index()
+GET        /                                  controllers.HomeController.index(request: Request)
 
-GET        /java/comet                         controllers.JavaCometController.index()
-GET        /java/comet/liveClock               controllers.JavaCometController.streamClock()
+GET        /java/comet                         controllers.JavaCometController.index(request: Request)
+GET        /java/comet/liveClock               controllers.JavaCometController.streamClock(request: Request)
 
-GET        /java/eventSource                   controllers.JavaEventSourceController.index()
+GET        /java/eventSource                   controllers.JavaEventSourceController.index(request: Request)
 GET        /java/eventSource/liveClock         controllers.JavaEventSourceController.streamClock()
 
-GET        /javascriptRoutes                  controllers.HomeController.javascriptRoutes
+GET        /javascriptRoutes                  controllers.HomeController.javascriptRoutes(request: Request)
 
 # Map static resources from the /public folder to the /assets URL path
 GET        /assets/*file                      controllers.Assets.at(path="/public", file)
diff --git a/play-java-streaming-example/public/javascripts/eventsource.js b/play-java-streaming-example/public/javascripts/eventsource.js
@@ -4,5 +4,5 @@ if (!!window.EventSource) {
         $('#clock').html(e.data.replace(/(\d)/g, '<span>$1</span>'))
     });
 } else {
-    $("#clock").html("Sorry. This browser doesn't seem to support Server sent event. Check <a href='http://html5test.com/compare/feature/communication-eventSource.html'>html5test</a> for browser compatibility.");
+    $("#clock").html("Sorry. This browser doesn't seem to support Server sent event. Check <a href='https://html5test.com/compare/feature/communication.eventSource.html'>html5test</a> for browser compatibility.");
 }

Original file line number	Diff line number	Diff line change
`@@ -4,22 +4,23 @@`
`4`	`4`	`import play.mvc.Controller;`
`5`	`5`	`import play.mvc.Http;`
`6`	`6`	`import play.mvc.Result;`
	`7`	`+import views.html.helper.CSPNonce;`
`7`	`8`
`8`	`9`	`import javax.inject.Singleton;`
`9`	`10`
`10`	`11`	`@Singleton`
`11`	`12`	`public class JavaCometController extends Controller implements JavaTicker {`
`12`	`13`
`13`		`- public Result index() {`
`14`		`- return ok(views.html.javacomet.render());`
	`14`	`+ public Result index(final Http.Request request) {`
	`15`	`+ return ok(views.html.javacomet.render(request));`
`15`	`16`	`}`
`16`	`17`
`17`		`- public Result streamClock() {`
`18`		`- return ok().chunked(getStringSource().via(Comet.string("parent.clockChanged"))).as(Http.MimeTypes.HTML);`
	`18`	`+ public Result streamClock(final Http.Request request) {`
	`19`	`+ return ok().chunked(getStringSource().via(Comet.string("parent.clockChanged", CSPNonce.apply(request.asScala())))).as(Http.MimeTypes.HTML);`
`19`	`20`	`}`
`20`	`21`
`21`		`- public Result jsonClock() {`
`22`		`- return ok().chunked(getJsonSource().via(Comet.json("parent.clockChanged"))).as(Http.MimeTypes.HTML);`
	`22`	`+ public Result jsonClock(final Http.Request request) {`
	`23`	`+ return ok().chunked(getJsonSource().via(Comet.json("parent.clockChanged", CSPNonce.apply(request.asScala())))).as(Http.MimeTypes.HTML);`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@`
`11`	`11`	`@Singleton`
`12`	`12`	`public class JavaEventSourceController extends Controller implements JavaTicker {`
`13`	`13`
`14`		`- public Result index() {`
`15`		`- return ok(views.html.javaeventsource.render());`
	`14`	`+ public Result index(final Http.Request request) {`
	`15`	`+ return ok(views.html.javaeventsource.render(request));`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`public Result streamClock() {`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-@()`
	`1`	`+@()(implicit request: JRequestHeader)`
`2`	`2`
`3`	`3`	`@main {`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -16,3 +16,8 @@ javacOptions ++= Seq(`
`16`	`16`	`"-Xlint:deprecation",`
`17`	`17`	`"-Werror"`
`18`	`18`	`)`
	`19`	`+`
	`20`	`+TwirlKeys.templateImports ++= Seq(`
	`21`	`+ "play.mvc.Http.{ RequestHeader => JRequestHeader }",`
	`22`	`+ "views.html.helper.CSPNonce"`
	`23`	`+)`