struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (Jira)" <j...@apache.org>
Subject [jira] [Work logged] (WW-5085) Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy Support
Date Sat, 15 Aug 2020 09:55:00 GMT

     [ https://issues.apache.org/jira/browse/WW-5085?focusedWorklogId=471056&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-471056
]

ASF GitHub Bot logged work on WW-5085:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 15/Aug/20 09:54
            Start Date: 15/Aug/20 09:54
    Worklog Time Spent: 10m 
      Work Description: yasserzamani commented on pull request #432:
URL: https://github.com/apache/struts/pull/432#issuecomment-674376827


   LGTM :+1: thanks a lot!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 471056)
    Remaining Estimate: 71.5h  (was: 71h 40m)
            Time Spent: 0.5h  (was: 20m)

> Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy Support
> -----------------------------------------------------------------------
>
>                 Key: WW-5085
>                 URL: https://issues.apache.org/jira/browse/WW-5085
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors
>    Affects Versions: 2.6
>            Reporter: Giannis Chatziveroglou
>            Priority: Major
>             Fix For: 2.6
>
>   Original Estimate: 72h
>          Time Spent: 0.5h
>  Remaining Estimate: 71.5h
>
> We would like to add support in Struts for Cross-Origin Opener and Cross-Origin Embedder
Policy.
> COOP is a security mitigation that lets developers isolate their resources against side-channel
attacks and information leaks. COOP is now supported by all major browsers.
> A COOP interceptor will be implemented to add COOP headers to HTTP responses, allowing
developers to configure COOP to use {{unsafe-none}}, {{same-site}} or {{same-origin}}.
Finally, developers will be able to disable COOP entirely for a set of exempted paths that
are intended to be used cross-site. 
>  
> COEP is a security mitigation which lets developers ensure that all resources loaded
by a given document have explicitly opted into being embedded. COEP is now supported by all
major browsers.
> A COEP interceptor will be implemented to add COEP headers to HTTP responses, configuring
COEP to the only accepted value "require-corp". A built-in handler for COEP violation reports
that will be used to collect and provide textual explanations of these reports. This will
be achieved with the setting of the "report-to" header to a default endpoint or one specified
by the developer.
> Additionally, developers will be able to choose between two options: whether they want
to both block resources and send report to the endpoint or only send a report without blocking
the resources. Finally, developers will be able to disable COEP entirely.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message