struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [struts] aleksandr-m commented on a change in pull request #430: WW-5084: Add Content Security Policy support to Struts
Date Wed, 19 Aug 2020 20:07:24 GMT

aleksandr-m commented on a change in pull request #430:
URL: https://github.com/apache/struts/pull/430#discussion_r473288542



##########
File path: core/src/main/resources/struts-default.xml
##########
@@ -377,6 +378,10 @@
                 <interceptor-ref name="alias"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="i18n"/>
+                <interceptor-ref name="cspInterceptor">
+                    <param name="enforcingMode">false</param>
+                    <param name="reportUri">/csp-reports</param>

Review comment:
       This is the default stack, meaning that report uri will be set for all applications
using it. If there is no `/csp-reports` action then what will happen? 404?
   
   Also (slim chances but still) what if application already has action with that exact name,
but for some other stuff?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message