struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [struts] salcho commented on a change in pull request #430: WW-5084: Add Content Security Policy support to Struts
Date Thu, 20 Aug 2020 08:00:43 GMT

salcho commented on a change in pull request #430:
URL: https://github.com/apache/struts/pull/430#discussion_r473732850



##########
File path: core/src/main/resources/struts-default.xml
##########
@@ -377,6 +378,10 @@
                 <interceptor-ref name="alias"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="i18n"/>
+                <interceptor-ref name="cspInterceptor">
+                    <param name="enforcingMode">false</param>
+                    <param name="reportUri">/csp-reports</param>

Review comment:
       That's a fair point! I've pushed a new commit with these changes so the new behaviour
is:
   
   - By default, CSP will be set to report-mode (so all websites continue working as previously)
and violations will only show up on the console.
   - If a user decides to add a reportUri, violations will be seen on the console and will
be sent to the URI.
   - A user may choose to turn enforcement mode on and the above two points still hold.
   
   I think this is a less intrusive default config!




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message