docs(cloudfront): updates to CloudFront ResponseHeadersPolicy XSSProtection (#31301)

awslukeguan · web-flow · commit 511eab3fec95 · 2024-09-04T15:25:22.000Z
### Issue # (if applicable) Closes #20962 ### Reason for this change Update the documentation to have a deployable example. ### Description of changes Set `modeBlock` to false when `reportUri` is set. You cannot specify a ReportUri when ModeBlock is true. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-responseheaderspolicy-xssprotection.html ### Description of how you validated changes Updated the tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md
@@ -308,6 +308,9 @@ You can configure CloudFront to add one or more HTTP headers to the responses th
 To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy.
 See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html
 
+> [!NOTE]
+> If xssProtection `reportUri` is specified, then `modeBlock` cannot be set to `true`.
+
 ```ts
 // Using an existing managed response headers policy
 declare const bucketOrigin: origins.S3Origin;
@@ -343,7 +346,7 @@ const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'Resp
     frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
     referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
     strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
-    xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
+    xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true },
   },
   removeHeaders: ['Server'],
   serverTimingSamplingRate: 50,
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts
@@ -62,7 +62,7 @@ describe('ResponseHeadersPolicy', () => {
         frameOptions: { frameOption: HeadersFrameOption.DENY, override: true },
         referrerPolicy: { referrerPolicy: HeadersReferrerPolicy.NO_REFERRER, override: true },
         strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
-        xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
+        xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true },
       },
       removeHeaders: ['Server'],
       serverTimingSamplingRate: 12.3456,
@@ -136,7 +136,7 @@ describe('ResponseHeadersPolicy', () => {
             Override: true,
           },
           XSSProtection: {
-            ModeBlock: true,
+            ModeBlock: false,
             Override: true,
             Protection: true,
             ReportUri: 'https://example.com/csp-report',
