struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [struts] salcho commented on a change in pull request #430: WW-5084: Add Content Security Policy support to Struts
Date Wed, 19 Aug 2020 08:27:30 GMT

salcho commented on a change in pull request #430:
URL: https://github.com/apache/struts/pull/430#discussion_r472854370



##########
File path: core/src/main/resources/struts-default.xml
##########
@@ -377,6 +378,10 @@
                 <interceptor-ref name="alias"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="i18n"/>
+                <interceptor-ref name="cspInterceptor">
+                    <param name="enforcingMode">false</param>
+                    <param name="reportUri">/csp-reports</param>

Review comment:
       A user can still configure the `reportUri` value to point to an external host! So even
if devs choose not to use/subclass the action that Struts provides, they can still use CSP's
reporting features (see services like https://report-uri.io and suchlike). I would say leaving
it here gives it visibility and perhaps we can make sure that documentation is clear on this
point? 
   
   WDYT?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message