Spring Security Add an integrity attribute on the default login and logout pages for the signin.css Bootstrap stylesheet

Expected Behavior

The currently generated login and logout pages include 2 CSS from Bootstrap CDN. The first CSS (bootstrap.min.css) already includes an integrity attribute in the generated link. The second CSS (signing.css) does not include such attribute. However, according to https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity, sub resources elements loaded from a CDN using a link element should ideally include the integrity attribute. This could be reported as an issue by web security tools such as OWASP ZAP. Code impacted: https://github.com/spring-projects/spring-security/blob/f2f19270da063515cac5b9cb3a1612156715c009/web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java#L81 https://github.com/spring-projects/spring-security/blob/f2f19270da063515cac5b9cb3a1612156715c009/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLogoutPageGeneratingFilter.java#L75 https://github.com/spring-projects/spring-security/blob/f2f19270da063515cac5b9cb3a1612156715c009/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java#L205 https://github.com/spring-projects/spring-security/blob/f2f19270da063515cac5b9cb3a1612156715c009/web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java#L101

Current Behavior

This is the currently generated login page: <title>Please sign in</title> <link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous"> <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/> </head>

Context

Found this issue while running OWASP ZAP on my Spring Boot application, ZAP generated this alert: Sub Resource Integrity Attribute Missing Evidence: <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/> CWE: 345 WASC ID: 15 Source: Passive (90003 - Sub Resource Integrity Attribute Missing)

Comment From: sjohnr

@ovanekem thanks for reporting this. Generally, we recommend simply replacing the login and/or logout pages with your own, as they are not meant for production use. However, this seems a straightforward improvement.

Would you like to submit a PR for this?

Comment From: ovanekem

@sjohnr Yep sure, I'll fix and issue a PR.