[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-dev
Subject: [jira] [Updated] (WW-5084) Content Security Policy support
From: "Santiago Diaz (Jira)" <jira () apache ! org>
Date: 2020-07-22 9:13:00
Message-ID: JIRA.13318494.1595337441000.102609.1595409180354 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Santiago Diaz updated WW-5084:
------------------------------
Description:
We'd like to add built-in Content Security Policy support to Struts2 to provide a \
major security mechanism that developers can use to protect against common Cross-Site \
Scripting vulnerabilities. Developers will have the ability to enable CSP in \
report-only or enforcement mode.
We will provide an out of the box tag that can be used by developers to use/import \
scripts in their web applications, so that these will automatically get nonces that \
are compatible with their Content Security policies.
Finally, we will provide a built-in handler for CSP violation reports that will be \
used to collect and provide textual explanations of these reports. This endpoint will \
be used by developers to debug CSP violations and locate pieces of code that need to \
be refactored to support strong policies.
was:
We'd like to add built-in Content Security Policy support to Struts2 to provide a \
major security mechanism that developers can use to protect against common Cross-Site \
Scripting vulnerabilities. Developers will have the ability to enable CSP in \
report-only or enforcement mode.
We will provide an out of the box tag that can be used by developers to use/import \
scripts in their web applications, so that these will automatically get nonces that \
are compatible with their Content Security Policy policies.
Finally, we will provide a built-in handler for CSP violation reports that will be \
used to collect and provide textual explanations of these reports. This endpoint will \
be used by developers to debug CSP violations and locate pieces of code that need to \
be refactored to support strong policies.
> Content Security Policy support
> -------------------------------
>
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 2.6
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
>
>
> We'd like to add built-in Content Security Policy support to Struts2 to provide a \
> major security mechanism that developers can use to protect against common \
> Cross-Site Scripting vulnerabilities. Developers will have the ability to enable \
> CSP in report-only or enforcement mode. We will provide an out of the box tag that \
> can be used by developers to use/import scripts in their web applications, so that \
> these will automatically get nonces that are compatible with their Content Security \
> policies. Finally, we will provide a built-in handler for CSP violation reports \
> that will be used to collect and provide textual explanations of these reports. \
> This endpoint will be used by developers to debug CSP violations and locate pieces \
> of code that need to be refactored to support strong policies.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic