'[jira] [Work logged] (WW-5084) Content Security Policy support'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [jira] [Work logged] (WW-5084) Content Security Policy support
From:       "ASF GitHub Bot (Jira)" <jira () apache ! org>
Date:       2020-07-30 13:42:00
Message-ID: JIRA.13318494.1595337441000.145931.1596116520205 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WW-5084?focusedWorklogId=464555&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-464555 \
]

ASF GitHub Bot logged work on WW-5084:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 30/Jul/20 13:41
            Start Date: 30/Jul/20 13:41
    Worklog Time Spent: 10m 
      Work Description: salcho edited a comment on pull request #430:
URL: https://github.com/apache/struts/pull/430#issuecomment-666370390


   This PR is associated with a follow up that refactors existing FTL and JSP files \
in Struts to make them CSP-ready. This will make it much easier to adopt CSP on an \
existing application. Please find a draft of this PR here: \
https://github.com/salcho/struts/pull/6


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 464555)
    Time Spent: 1h 20m  (was: 1h 10m)

> Content Security Policy support
> -------------------------------
> 
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 2.6
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
> 
> Time Spent: 1h 20m
> Remaining Estimate: 0h
> 
> We'd like to add built-in Content Security Policy support to Struts2 to provide a \
> major security mechanism that developers can use to protect against common \
> Cross-Site Scripting vulnerabilities. Developers will have the ability to enable \
> CSP in report-only or enforcement mode. We will provide an out of the box tag that \
> can be used by developers to use/import scripts in their web applications, so that \
> these will automatically get nonces that are compatible with their Content Security \
> policies. Finally, we will provide a built-in handler for CSP violation reports \
> that will be used to collect and provide textual explanations of these reports. \
> This endpoint will be used by developers to debug CSP violations and locate pieces \
> of code that need to be refactored to support strong policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic