struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (Jira)" <j...@apache.org>
Subject [jira] [Work logged] (WW-5084) Content Security Policy support
Date Thu, 20 Aug 2020 08:01:00 GMT

     [ https://issues.apache.org/jira/browse/WW-5084?focusedWorklogId=472792&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-472792
]

ASF GitHub Bot logged work on WW-5084:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Aug/20 08:00
            Start Date: 20/Aug/20 08:00
    Worklog Time Spent: 10m 
      Work Description: salcho commented on a change in pull request #430:
URL: https://github.com/apache/struts/pull/430#discussion_r473732850



##########
File path: core/src/main/resources/struts-default.xml
##########
@@ -377,6 +378,10 @@
                 <interceptor-ref name="alias"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="i18n"/>
+                <interceptor-ref name="cspInterceptor">
+                    <param name="enforcingMode">false</param>
+                    <param name="reportUri">/csp-reports</param>

Review comment:
       That's a fair point! I've pushed a new commit with these changes so the new behaviour
is:
   
   - By default, CSP will be set to report-mode (so all websites continue working as previously)
and violations will only show up on the console.
   - If a user decides to add a reportUri, violations will be seen on the console and will
be sent to the URI.
   - A user may choose to turn enforcement mode on and the above two points still hold.
   
   I think this is a less intrusive default config!




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 472792)
    Time Spent: 3h 50m  (was: 3h 40m)

> Content Security Policy support
> -------------------------------
>
>                 Key: WW-5084
>                 URL: https://issues.apache.org/jira/browse/WW-5084
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors, Core Tags
>    Affects Versions: 2.6
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 2.6
>
>          Time Spent: 3h 50m
>  Remaining Estimate: 0h
>
> We'd like to add built-in Content Security Policy support to Struts2 to provide a major
security mechanism that developers can use to protect against common Cross-Site Scripting
vulnerabilities. Developers will have the ability to enable CSP in report-only or enforcement
mode.
> We will provide an out of the box tag that can be used by developers to use/import scripts
in their web applications, so that these will automatically get nonces that are compatible
with their Content Security policies.
> Finally, we will provide a built-in handler for CSP violation reports that will be used
to collect and provide textual explanations of these reports. This endpoint will be used by
developers to debug CSP violations and locate pieces of code that need to be refactored to
support strong policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message