I hade a Spring Boot application using version 3.3.7. I have configured my endpoint to generate some HTTP headers, using some XML. like:
<http request-matcher-ref="staticResourcesMatcher">
<headers>
<cache-control disabled="true"/>
<content-security-policy policy-directives="default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; connect-src *;"/>
<cross-origin-embedder-policy policy="require-corp"/>
<cross-origin-opener-policy policy="same-origin"/>
<cross-origin-resource-policy policy="same-origin"/>
<permissions-policy policy="geolocation=(), microphone=(), camera=()"/>
<referrer-policy policy="no-referrer"/>
</headers>
<http-basic />
<intercept-url pattern="**" access="isAuthenticated()" />
</http>
When I access a particular resource, called /img/logo.png, the headers appear as expected:
However, when I access a different resource, called /img/error.png, the headers are missing:
When I debug, I can see that in both cases the ContentSecurityPolicyHeaderWriter class is called for all the required headers. However, in the case of the missing headers, the ResponseHttpFields instance is already committed before these headers are added, which means that they are never added.
I believe the issue is that for larger files, the response is starting to be written before the ContentSecurityPolicyHeaderWriter is being called
Comment From: bclozel
It looks like in some cases, headers cannot be written as the response is already committed.
The HeaderWriterFilter seem to write headers after the filter chain, which means that the response body might be already written to the network. I see that Spring Security added a new option to write those headers eagerly: https://github.com/spring-projects/spring-security/issues/6501
I'm not sure this option is available at the XML configuration level. I think this is a question for the Spring Security project. Could you raise the problem there?