'[jira] [Comment Edited] (WW-5084) Content Security Policy support'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [jira] [Comment Edited] (WW-5084) Content Security Policy support
From:       "Santiago Diaz (Jira)" <jira () apache ! org>
Date:       2020-07-24 8:43:00
Message-ID: JIRA.13318494.1595337441000.116736.1595580180280 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17164264#comment-17164264 \
] 

Santiago Diaz edited comment on WW-5084 at 7/24/20, 8:42 AM:
-------------------------------------------------------------

Yes, I'd lean towards not implementing complex solutions (like proxy'ing \
RuntimeConfiguration) and rather requiring users to add an explicit mapping in their \
struts.xml. The downside of this (having two pieces of config [one for the \
interceptor and one for reporting] to enable CSP with reporting instead of one) seems \
much preferable than one piece of config that requires us to mess with \
RuntimeConfiguration, but it was worth making sure that this was the case :)  

Thanks so much for your comments and enjoy your weekend!  


was (Author: saldiaz):
Yes, I'd lean towards not implementing complex solutions (like proxy'ing \
RuntimeConfiguration) and rather requiring users to add an explicit mapping in their \
struts.xml. The downside of this (having two pieces of config [one for the \
interceptor and one for reporting] to enable CSP with reporting instead of one) seem \
much preferable than one piece of config that requires us to mess with \
RuntimeConfiguration, but it was worth making sure that this was the case :)  

Thanks so much for your comments and enjoy your weekend!  

> Content Security Policy support
> -------------------------------
> 
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 2.6
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
> 
> 
> We'd like to add built-in Content Security Policy support to Struts2 to provide a \
> major security mechanism that developers can use to protect against common \
> Cross-Site Scripting vulnerabilities. Developers will have the ability to enable \
> CSP in report-only or enforcement mode. We will provide an out of the box tag that \
> can be used by developers to use/import scripts in their web applications, so that \
> these will automatically get nonces that are compatible with their Content Security \
> policies. Finally, we will provide a built-in handler for CSP violation reports \
> that will be used to collect and provide textual explanations of these reports. \
> This endpoint will be used by developers to debug CSP violations and locate pieces \
> of code that need to be refactored to support strong policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic