You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by GitBox <gi...@apache.org> on 2020/08/11 10:25:16 UTC

[GitHub] [struts] gchatz22 opened a new pull request #432: Add Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support

gchatz22 opened a new pull request #432:
URL: https://github.com/apache/struts/pull/432


   Hello Struts Devs!
   
   This PR adds Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support for Struts2. Two very popular mitigations that aim to make a website cross-origin isolated.
   
   COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. COEP prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. Both COOP and COEP require adding headers to the response object.
   
   COOP and COEP are independent mechanisms and they can be enabled, tested and deployed separately. Using COEP and COOP together allows developers to safely use powerful features such as `SharedArrayBuffer`, `performance.measureMemory()`, and the JS Self-Profiling API. COOP and COEP are now supported by all major browsers. See https://web.dev/why-coop-coep/ for reference.
   
   Here's a summary of the changes made:
   
   - We created 2 new interceptors, the `CoopInterceptor` and `CoepInterceptor`, that handle adding the response headers for the respective security mitigation. Both were added in the default stack of `struts-default.xml`
   - Using the `CoopInterceptor`, developers have the ability to choose the policy they want COOP to operate with (`same-origin`, `same-origin-allow-popups`, or `unsafe-none`), set to `same-origin` by default. An exception is thrown if another policy other than the specified 3 is chosen by the developer
   - Using the `CoepInterceptor`, developers have the ability to choose between the two modes they want COEP to operate under: enforcing mode (header set as `Cross-Origin-Embedder-Policy`) which blocks resources and reports violation, and reporting mode (header set as `Cross-Origin-Embedder-Policy-Report-Only`) which only reports the violation without blocking resources.
   - For both interceptors, developers are able to add exempted paths for which the chosen policy will not be applied to them
   
   In `struts-default.xml' here is how developers can customize the interceptors:
   ```
   <interceptor-ref name="coopInterceptor">
           <param name="exemptedPaths">path1,path2</param>
           <param name="mode">same-origin</param>
   </interceptor-ref>
   <interceptor-ref name="coepInterceptor">
            <param name="enforcingMode">false</param>
            <param name="disabled">false</param>
            <param name="exemptedPaths">path1,path2</param>
   </interceptor-ref>
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

[GitHub] [struts] lukaszlenart merged pull request #432: WW-5085: Add Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support

Posted by GitBox <gi...@apache.org>.

lukaszlenart merged pull request #432:
URL: https://github.com/apache/struts/pull/432


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

[GitHub] [struts] yasserzamani commented on pull request #432: WW-5085: Add Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #432:
URL: https://github.com/apache/struts/pull/432#issuecomment-674376827


   LGTM :+1: thanks a lot!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] coveralls edited a comment on pull request #432: WW-5085: Add Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support

Posted by GitBox <gi...@apache.org>.

coveralls edited a comment on pull request #432:
URL: https://github.com/apache/struts/pull/432#issuecomment-671908636


   
   [![Coverage Status](https://coveralls.io/builds/32675006/badge)](https://coveralls.io/builds/32675006)
   
   Coverage increased (+0.04%) to 49.384% when pulling **4acaccfa610da75b7828e93defa9982184648997 on salcho:coop-coep-post** into **a55e9ed93b3f442a1230be4b9b2ca936155868f5 on apache:master**.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] coveralls commented on pull request #432: WW-5085: Add Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support

Posted by GitBox <gi...@apache.org>.

coveralls commented on pull request #432:
URL: https://github.com/apache/struts/pull/432#issuecomment-671908636


   
   [![Coverage Status](https://coveralls.io/builds/32673990/badge)](https://coveralls.io/builds/32673990)
   
   Coverage increased (+0.04%) to 49.384% when pulling **4acaccfa610da75b7828e93defa9982184648997 on salcho:coop-coep-post** into **a55e9ed93b3f442a1230be4b9b2ca936155868f5 on apache:master**.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] lukaszlenart commented on pull request #432: WW-5085: Add Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support

Posted by GitBox <gi...@apache.org>.

lukaszlenart commented on pull request #432:
URL: https://github.com/apache/struts/pull/432#issuecomment-674677494


   👏  LGTM 👍 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org