[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [jira] [Created] (WW-5084) Content Security Policy support
From:       "Santiago Diaz (Jira)" <jira () apache ! org>
Date:       2020-07-21 13:18:00
Message-ID: JIRA.13318494.1595337441000.97258.1595337480015 () Atlassian ! JIRA
[Download RAW message or body]

Santiago Diaz created WW-5084:
---------------------------------

             Summary: Content Security Policy support
                 Key: WW-5084
                 URL: https://issues.apache.org/jira/browse/WW-5084
             Project: Struts 2
          Issue Type: New Feature
          Components: Core Interceptors, Core Tags
    Affects Versions: 2.6
            Reporter: Santiago Diaz


We'd like to add built-in Content Security Policy support to Struts2 to provide a \
major security mechanism that developers can use to protect against common Cross-Site \
Scripting vulnerabilities. Developers will have the ability to enable CSP in \
report-only or enforcement mode.

We will provide an out of the box tag that can be used by developers to use/import \
scripts in their web applications, so that these will automatically get nonces that \
are compatible with their Content Security Policy policies.

Finally, we will provide a built-in handler for CSP violation reports that will be \
used to collect and provide textual explanations of these reports. This endpoint will \
be used by developers to debug CSP violations and locate pieces of code that need to \
be refactored to support strong policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]