I made a Spring Boot application using version 3.3.7. I have configured my endpoint to generate some HTTP headers, using some XML. like:

    <http request-matcher-ref="staticResourcesMatcher">
        <headers>
            <cache-control disabled="true"/>
            <content-security-policy policy-directives="default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; connect-src *;"/>
            <cross-origin-embedder-policy policy="require-corp"/>
            <cross-origin-opener-policy policy="same-origin"/>
            <cross-origin-resource-policy policy="same-origin"/>
            <permissions-policy policy="geolocation=(), microphone=(), camera=()"/>
            <referrer-policy policy="no-referrer"/>
        </headers>
        <http-basic />
        <intercept-url pattern="**" access="isAuthenticated()" />
    </http>

When I access a particular resource, called /img/logo.png, the headers appear as expected:

Image

However, when I access a different resource, called /img/error.png, the headers are missing:

When I debug, I can see that in both cases the ContentSecurityPolicyHeaderWriter class is called for all the required headers. However, in the case of the missing headers, the ResponseHttpFields instance is already committed before these headers are added, which means that they are never added.

I believe the issue is that for larger files, the response is starting to be written before the ContentSecurityPolicyHeaderWriter is being called

Comment From: PushpendraKushvaha

Hi @cartbar,

As you mentioned in your description, the issue occurs with larger files. Could you please specify up to what file size it is working as expected and from which file size the headers are missing in the response?

Also, if you could provide a sample project, it would help us easily reproduce and debug the issue from our end.

Comment From: cartbar

Hello.

I don't know the exact size. It works ok with a file of 1,379 bytes, but does not with a file of 73,358.

I have created a demo project using Spring Initializer with Spring Web and Spring Security. I added the two image files in src\main\resources\static.

I started the application using "gradlew bootRun".

Went to http://localhost:8080.

After logging on, I accessed both files. All the expected headers were returned.

I edited the build.gradle to switch to embedded Jetty server

After logging on, I accessed both files. For the smaller file, the headers returned were:

For the larger file, the headers returned were:

This is the demo project: demo.zip

So, it would seem the issue affects Jetty but not Tomcat