From f6f704813befb9caf8928704d56dedc2d30fc7ec Mon Sep 17 00:00:00 2001
From: wangjiahao <1522128093@qq.com>
Date: Thu, 11 Jun 2026 11:35:46 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E5=A2=9E=E5=8A=A0=20`Content-Security-P?=
 =?UTF-8?q?olicy`=20=E7=AD=89=E5=AE=89=E5=85=A8=E6=A0=87=E8=AF=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/main/java/io/dataease/filter/HtmlResourceFilter.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk/common/src/main/java/io/dataease/filter/HtmlResourceFilter.java b/sdk/common/src/main/java/io/dataease/filter/HtmlResourceFilter.java
index cdeda6baae..aa1c22dbb2 100644
--- a/sdk/common/src/main/java/io/dataease/filter/HtmlResourceFilter.java
+++ b/sdk/common/src/main/java/io/dataease/filter/HtmlResourceFilter.java
@@ -37,6 +37,10 @@ public class HtmlResourceFilter implements Filter, Ordered {
             httpResponse.setHeader(HttpHeaders.PRAGMA, "no-cache");
             httpResponse.setHeader(HttpHeaders.EXPIRES, "0");
         }
+        httpResponse.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'");
+        httpResponse.setHeader("X-Content-Type-Options", "nosniff");
+        httpResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
+        httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
         // 继续执行过滤器链
         try {
             filterChain.doFilter(servletRequest, httpResponse);