[GEOS-11346] Add a configurable Content-Security-Policy header

doc/en/user/source/installation/upgrade.rst

@@ -30,6 +30,25 @@ The general GeoServer upgrade process is as follows:
 Notes on upgrading specific versions
 ------------------------------------
 
+Content Security Policy (GeoServer 2.26 and newer)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As of GeoServer 2.26, the Content-Security-Policy HTTP response header will be enabled by default
+in order to mitigate cross-site scripting and clickjacking attacks. The default header value is
+intended to **block** the use of inline JavaScript in all HTML output except in cases where it is
+required (e.g., OpenLayers maps). It is possible that future work may further restrict the default
+policy.
+
+Most uers without any customized HTML output should not experience any issues. Users who need
+inline JavaScript in custom FreeMarker templates for WMS GetFeatureInfo HTML output should see
+:ref:`tutorials_getfeatureinfo_html_csp`. Users experiencing issues with static web files or custom
+classes/plugins generating HTML output may need to update their settings. For more information, see
+:ref:`production_config_csp`.
+
+.. note::
+    It is recommended that static web files be disabled if they are not necessary in order to
+    mitigate cross-site scripting attacks. For more information, see :ref`tutorials_staticfiles`.
+
 GRIB Layers (GeoServer 2.26 and newer)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 GeoServer 2.26 upgraded underlying Unidata NetCDF libraries, from 4.x to 5.x, which includes internal changes to how GRIB files are intepreted (mapping tables and GRIB parameters interpretation changes). 

doc/en/user/source/production/config.rst

@@ -243,17 +243,32 @@ If you wish to change this behavior you can do so through the following properti
 * ``geoserver.xframe.shouldSetPolicy``: controls whether the X-Frame-Options header should be set at all. Default is true.
 * ``geoserver.xframe.policy``: controls what to set the X-Frame-Options header to. Default is ``SAMEORIGIN``. Valid options are ``DENY``, ``SAMEORIGIN`` and ``ALLOW-FROM [uri]``.
 
+These properties can be set either via Java system property, command line argument (-D), environment
+variable or web.xml init parameter.
+
 .. note::
     The WMS GetMap OpenLayers output format uses iframes to display the WMS GetFeatureInfo output and
     this may not function properly if the policy is set to something other than ``SAMEORIGIN``.
 
 .. warning::
     The ``ALLOW-FROM`` option is not supported by modern browsers and should only be used if you know
     that browsers interacting with your GeoServer will support it. Applying this policy will be treated
-    as if no policy was set by browsers that do not support this (i.e., **NO** protection).
+    as if no policy was set by browsers that do not support this (i.e., **NO** protection). The
+    ``Content-Security-Policy`` header provides more robust support for allowing specific hosts to
+    display frames from GeoServer using the ``frame-ancestors`` directive.
 
-These properties can be set either via Java system property, command line argument (-D), environment
-variable or :file:`web.xml` init parameter.
+If the ``geoserver.csp.frameAncestors`` system property has not been set, the ``frame-ancestors``
+directive of the ``Content-Security-Policy`` header will default to being set based on the value of
+the ``X-Frame-Options`` header.
+
+* ``SAMEORIGIN`` will be ``frame-ancestors 'self'``
+* ``DENY`` will be ``frame-ancestors 'none'``
+* if the ``X-Frame-Options`` header is not set or has any other value, the ``frame-ancestors``
+  directive will be omitted
+
+When both ``frame-ancestors`` and ``X-Frame-Options`` are present, browsers that support
+``frame-ancestors`` should **enforce** the ``frame-ancestors`` policy and **ignore** the
+``X-Frame-Options`` policy.
 
 X-Content-Type-Options Policy
 '''''''''''''''''''''''''''''
@@ -300,6 +315,23 @@ If you wish to change this behavior you can do so through the following properti
 These properties can be set either via Java system property, command line argument (-D), environment
 variable or web.xml init parameter.
 
+.. _production_config_csp:
+
+Content-Security-Policy
+'''''''''''''''''''''''
+
+In order to mitigate cross-site scripting and clickjacking attacks GeoServer defaults to setting
+the Content-Security-Policy HTTP header based on rules loaded from a configuration file. See the
+:ref:`security_csp` page for more details about this header, GeoServer's default configuration and
+how to change the configuration.
+
+* ``geoserver.csp.shouldSetPolicy``: controls whether to set the Content-Security-Policy header.
+  Default is true.
+* ``geoserver.csp.policy``: controls the value of the Content-Security-Policy header. Default is to
+  leave this property blank, which will use the configuration file that will set the header based
+  on the request and server environment but this property allows the administrator to set a fixed
+  header value, which can be useful in cases where JavaScript is not needed at all.
+
 OWS ServiceException XML mimeType
 '''''''''''''''''''''''''''''''''