From 2774b99adbcac2b1a409596abbff71978913acb0 Mon Sep 17 00:00:00 2001 From: Luke Guan <150387335+awslukeguan@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:28:27 -0400 Subject: [PATCH 1/3] Updated documentation and tests --- packages/aws-cdk-lib/aws-cloudfront/README.md | 2 +- .../aws-cloudfront/test/response-headers-policy.test.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md index 69dd28e093cc1..dfb46a6ad5c7d 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront/README.md @@ -343,7 +343,7 @@ const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'Resp frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true }, referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true }, strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true }, - xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true }, + xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true }, }, removeHeaders: ['Server'], serverTimingSamplingRate: 50, diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts index 2950ec5373dea..44299554f07ac 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts @@ -62,7 +62,7 @@ describe('ResponseHeadersPolicy', () => { frameOptions: { frameOption: HeadersFrameOption.DENY, override: true }, referrerPolicy: { referrerPolicy: HeadersReferrerPolicy.NO_REFERRER, override: true }, strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true }, - xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true }, + xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true }, }, removeHeaders: ['Server'], serverTimingSamplingRate: 12.3456, @@ -136,7 +136,7 @@ describe('ResponseHeadersPolicy', () => { Override: true, }, XSSProtection: { - ModeBlock: true, + ModeBlock: false, Override: true, Protection: true, ReportUri: 'https://example.com/csp-report', From dab342e9997e88ffeb4422c01d48ceaed3ac2284 Mon Sep 17 00:00:00 2001 From: Luke Guan <150387335+awslukeguan@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:59:04 -0400 Subject: [PATCH 2/3] added statement in readme --- packages/aws-cdk-lib/aws-cloudfront/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md index dfb46a6ad5c7d..1305c576b57af 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront/README.md @@ -308,6 +308,8 @@ You can configure CloudFront to add one or more HTTP headers to the responses th To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html +Please note if property of xssProtection `reportUri` is specified, then `modeBlock` cannot be set to `true`. + ```ts // Using an existing managed response headers policy declare const bucketOrigin: origins.S3Origin; From 9c3c6da9f1ac0e678de85f2e1215a6a766584b89 Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Wed, 4 Sep 2024 10:50:36 -0400 Subject: [PATCH 3/3] Update packages/aws-cdk-lib/aws-cloudfront/README.md --- packages/aws-cdk-lib/aws-cloudfront/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md index 1305c576b57af..6d2ea99025098 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront/README.md @@ -308,7 +308,8 @@ You can configure CloudFront to add one or more HTTP headers to the responses th To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html -Please note if property of xssProtection `reportUri` is specified, then `modeBlock` cannot be set to `true`. +> [!NOTE] +> If xssProtection `reportUri` is specified, then `modeBlock` cannot be set to `true`. ```ts // Using an existing managed response headers policy