struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <>
Subject [jira] [Commented] (WW-5084) Content Security Policy support
Date Sun, 30 Aug 2020 20:38:00 GMT


ASF subversion and git services commented on WW-5084:

Commit 6210afa747a67cabcddd6d72f675ed3d8023bda5 in struts's branch refs/heads/master from
Aleksandr Mashchenko
[;h=6210afa ]

Merge pull request #430 from salcho/post-ww-5083

WW-5084: Add Content Security Policy support to Struts

> Content Security Policy support
> -------------------------------
>                 Key: WW-5084
>                 URL:
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors, Core Tags
>    Affects Versions: 2.6
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 2.6
>          Time Spent: 5h 10m
>  Remaining Estimate: 0h
> We'd like to add built-in Content Security Policy support to Struts2 to provide a major
security mechanism that developers can use to protect against common Cross-Site Scripting
vulnerabilities. Developers will have the ability to enable CSP in report-only or enforcement
> We will provide an out of the box tag that can be used by developers to use/import scripts
in their web applications, so that these will automatically get nonces that are compatible
with their Content Security policies.
> Finally, we will provide a built-in handler for CSP violation reports that will be used
to collect and provide textual explanations of these reports. This endpoint will be used by
developers to debug CSP violations and locate pieces of code that need to be refactored to
support strong policies.

This message was sent by Atlassian Jira

View raw message