salcho commented on a change in pull request #430:
URL: https://github.com/apache/struts/pull/430#discussion_r472854370
##########
File path: core/src/main/resources/struts-default.xml
##########
@@ -377,6 +378,10 @@
<interceptor-ref name="alias"/>
<interceptor-ref name="servletConfig"/>
<interceptor-ref name="i18n"/>
+ <interceptor-ref name="cspInterceptor">
+ <param name="enforcingMode">false</param>
+ <param name="reportUri">/csp-reports</param>
Review comment:
A user can still configure the `reportUri` value to point to an external host! So even
if devs choose not to use/subclass the action that Struts provides, they can still use CSP's
reporting features (see services like https://report-uri.io and suchlike). I would say leaving
it here gives it visibility and perhaps we can make sure that documentation is clear on this
point?
WDYT?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
|