Merge pull request #5894 from soul2zimate/WFCORE-6723-main

[WFCORE-6723] Add header 'X-Content-Type-Options' to http management handlers

domain-http/interface/src/main/java/org/jboss/as/domain/http/server/DomainUtil.java

@@ -202,7 +202,7 @@ static ResourceHandlerDefinition createStaticContentHandler(ResourceManager reso
                 .setCachable(not(suffixes(NOCACHE_JS, APP_HTML, INDEX_HTML)));
 
         // avoid clickjacking attacks: console must not be included in (i)frames
-        SetHeaderHandler frameHandler = new SetHeaderHandler(handler, "X-Frame-Options", "SAMEORIGIN");
+        SetHeaderHandler frameHandler = new SetHeaderHandler (new SetHeaderHandler(handler, "X-Frame-Options", "SAMEORIGIN"), "X-Content-Type-Options", "nosniff");
         // we also need to setup the default resource redirect
         PredicateHandler predicateHandler = new PredicateHandler(path("/"), new RedirectHandler(ExchangeAttributes.constant(context + DEFAULT_RESOURCE)), frameHandler);
         return new ResourceHandlerDefinition(context, DEFAULT_RESOURCE, predicateHandler);

domain-http/interface/src/main/java/org/jboss/as/domain/http/server/ManagementHttpServer.java

@@ -260,20 +260,20 @@ private static void addRedirectRedinessHandler(PathHandler pathHandler, Resource
     }
 
     private static HttpHandler addDmrRedinessHandler(PathHandler pathHandler, HttpHandler domainApiHandler, Function<HttpServerExchange, Boolean> readinessFunction) {
-        HttpHandler readinessHandler = wrapXFrameOptions(new DmrFailureReadinessHandler(readinessFunction, domainApiHandler, ErrorContextHandler.ERROR_CONTEXT));
+        HttpHandler readinessHandler = wrapHttpHeader(wrapHttpHeader(new DmrFailureReadinessHandler(readinessFunction, domainApiHandler, ErrorContextHandler.ERROR_CONTEXT), "X-Frame-Options", "SAMEORIGIN"), "X-Content-Type-Options", "nosniff");
         pathHandler.addPrefixPath(DomainApiCheckHandler.PATH, readinessHandler);
         pathHandler.addExactPath(DomainApiCheckHandler.GENERIC_CONTENT_REQUEST, readinessHandler);
 
         return readinessHandler;
     }
 
     private static void addLogoutHandler(PathHandler pathHandler, Builder builder) {
-        pathHandler.addPrefixPath(LogoutHandler.PATH, wrapXFrameOptions(
-                new LogoutHandler(DEFAULT_SECURITY_REALM)));
+        pathHandler.addPrefixPath(LogoutHandler.PATH, wrapHttpHeader(wrapHttpHeader(
+                new LogoutHandler(DEFAULT_SECURITY_REALM), "X-Frame-Options", "SAMEORIGIN"), "X-Content-Type-Options", "nosniff"));
     }
 
     private static void addErrorContextHandler(PathHandler pathHandler, Builder builder) throws ModuleLoadException {
-        HttpHandler errorContextHandler = wrapXFrameOptions(ErrorContextHandler.createErrorContext(builder.consoleSlot));
+        HttpHandler errorContextHandler = (wrapHttpHeader(wrapHttpHeader(ErrorContextHandler.createErrorContext(builder.consoleSlot), "X-Frame-Options", "SAMEORIGIN"), "X-Content-Type-Options", "nosniff"));
         pathHandler.addPrefixPath(ErrorContextHandler.ERROR_CONTEXT, errorContextHandler);
     }
 
@@ -421,8 +421,8 @@ public void authenticationComplete(SecurityIdentity securityIdentity, String mec
         return domainHandler;
     }
 
-    private static HttpHandler wrapXFrameOptions(final HttpHandler toWrap) {
-        return new SetHeaderHandler(toWrap, "X-Frame-Options", "SAMEORIGIN");
+    private static HttpHandler wrapHttpHeader(final HttpHandler toWrap, final String header, final String value) {
+        return new SetHeaderHandler(toWrap, header, value);
     }
 
     private static Function<HttpServerExchange, Boolean> ALWAYS_READY = new Function<HttpServerExchange, Boolean>() {