package org.eclipse.scout.rt.server.commons.servlet;

import java.io.Serializable;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.scout.rt.platform.ApplicationScoped;
import org.eclipse.scout.rt.platform.BEANS;
import org.eclipse.scout.rt.platform.config.CONFIG;
import org.eclipse.scout.rt.server.commons.ServerCommonsConfigProperties;

@ApplicationScoped
/* loaded from: input_file:org/eclipse/scout/rt/server/commons/servlet/HttpServletControl.class */
public class HttpServletControl implements Serializable {
    private static final long serialVersionUID = 1;
    public static final String HTTP_HEADER_X_FRAME_OPTIONS = "X-Frame-Options";
    public static final String SAMEORIGIN = "SAMEORIGIN";
    public static final String HTTP_HEADER_X_XSS_PROTECTION = "X-XSS-Protection";
    public static final String XSS_MODE_BLOCK = "1; mode=block";
    public static final String HTTP_HEADER_CSP = "Content-Security-Policy";
    public static final String HTTP_HEADER_CSP_LEGACY = "X-Content-Security-Policy";
    public static final String CSP_REPORT_URL = "csp-report";
    public static final String HTTP_HEADER_X_CONTENT_TYPE_OPTIONS = "X-Content-Type-Options";
    public static final String CONTENT_TYPE_OPTION_NO_SNIFF = "nosniff";
    private String m_cspToken;

    @PostConstruct
    protected void buildCspPolicyToken() {
        setCspToken(((ContentSecurityPolicy) BEANS.get(ContentSecurityPolicy.class)).toToken());
    }

    protected final String getCspToken() {
        return this.m_cspToken;
    }

    protected final void setCspToken(String str) {
        this.m_cspToken = str;
    }

    public void doDefaults(HttpServlet httpServlet, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        parseRequest(httpServlet, httpServletRequest, httpServletResponse);
        setResponseHeaders(httpServlet, httpServletRequest, httpServletResponse);
    }

    protected void parseRequest(HttpServlet httpServlet, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        UrlHints.updateHints(httpServletRequest, httpServletResponse);
    }

    protected void setResponseHeaders(HttpServlet httpServlet, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.setHeader(HTTP_HEADER_X_CONTENT_TYPE_OPTIONS, CONTENT_TYPE_OPTION_NO_SNIFF);
        if ("GET".equals(httpServletRequest.getMethod())) {
            httpServletResponse.setHeader(HTTP_HEADER_X_FRAME_OPTIONS, SAMEORIGIN);
            httpServletResponse.setHeader(HTTP_HEADER_X_XSS_PROTECTION, XSS_MODE_BLOCK);
            if (isCspEnabled(httpServletRequest)) {
                if (HttpClientInfo.get(httpServletRequest).isMshtml()) {
                    httpServletResponse.setHeader(HTTP_HEADER_CSP_LEGACY, getCspToken());
                } else {
                    httpServletResponse.setHeader(HTTP_HEADER_CSP, getCspToken());
                }
            }
        }
    }

    protected boolean isCspEnabled(HttpServletRequest httpServletRequest) {
        if (!((Boolean) CONFIG.getPropertyValue(ServerCommonsConfigProperties.CspEnabledProperty.class)).booleanValue()) {
            return false;
        }
        List list = (List) CONFIG.getPropertyValue(ServerCommonsConfigProperties.CspExclusionsProperty.class);
        String pathInfo = httpServletRequest.getPathInfo();
        if (list == null || pathInfo == null) {
            return true;
        }
        Iterator it = list.iterator();
        while (it.hasNext()) {
            if (((Pattern) it.next()).matcher(pathInfo).matches()) {
                return false;
            }
        }
        return true;
    }
}
