You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by GitBox <gi...@apache.org> on 2020/08/28 14:48:35 UTC
[GitHub] [struts-site] salcho opened a new pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
salcho opened a new pull request #149:
URL: https://github.com/apache/struts-site/pull/149
Hello Struts devs!
We're really proud to have contributed to Struts by adding Fetch Metadata (https://github.com/apache/struts/pull/426) and COOP/COEP support (https://github.com/apache/struts/pull/432) in the past few months while CSP is still being reviewed (https://github.com/apache/struts/pull/430). This PR updates documentation to reflect the new interceptors (not CSP!), their parameters, usage and brief explanations of what these security mitigations are and how they work.
We hope this will motivate Struts developers to enable brand new security mitigations on their way forward :)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] gchatz22 commented on pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
gchatz22 commented on pull request #149:
URL: https://github.com/apache/struts-site/pull/149#issuecomment-682771689
Thank you for your comments @yasserzamani ! Applied your changes and as said will also be waiting for @apache/struts-committers opinion.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] gchatz22 edited a comment on pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
gchatz22 edited a comment on pull request #149:
URL: https://github.com/apache/struts-site/pull/149#issuecomment-682771689
Thank you for your comments @yasserzamani ! Applied your changes and as said will also be waiting for @[apache/struts-committers](https://github.com/orgs/apache/teams/struts-committers) opinion.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] gchatz22 edited a comment on pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
gchatz22 edited a comment on pull request #149:
URL: https://github.com/apache/struts-site/pull/149#issuecomment-682771689
Thank you for your comments @yasserzamani ! Applied your changes and as said will also be waiting for @apache/struts-committers opinion.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] lukaszlenart merged pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
lukaszlenart merged pull request #149:
URL: https://github.com/apache/struts-site/pull/149
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] yasserzamani commented on a change in pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
yasserzamani commented on a change in pull request #149:
URL: https://github.com/apache/struts-site/pull/149#discussion_r479367165
##########
File path: source/core-developers/coep-interceptor.md
##########
@@ -0,0 +1,43 @@
+---
+layout: default
+title: COEP Interceptor
+parent:
+ title: Interceptors
+ url: interceptors.html
+---
+
+# Fetch Metadata Interceptor
+
+## Description
+
+Interceptor that implements Cross-Origin Embedder Policy on incoming requests.
+
+COEP prevents the document from loading any framed documents which don't opt-in by setting the COEP header. (`Cross-Origin-Embedder-Policy: require-corp`). This provides protection for documents that don't restrict framing. A document that doesn't set COEP cannot be framed by another document with COEP. All descendents of a document with COEP will also enforce the same restrictions.
+
+COEP is now supported by all major browsers.
+
+
+
+[More information about COEP](https://web.dev/why-coop-coep/#coep).
+
+## Parameters
+
+- `exemptedPaths` - Set of opt out endpoints that are meant to serve cross-site traffic. Paths should contain leading slashes and must be relative. This field is empty by default.
+- `enforcingMode` - Boolean variable allowing the user to let COEP operate in `enforcing`, which blocks both resource and reports violations, or `report-only` mode, which only reports violations. Default value for field is `false`.
+- `disabled` - Boolean variable disabling and enabling COEP. Default value for field is `false`.
+
+## Examples
+
+```xml
+<interceptor name="coep" class="org.apache.struts2.interceptor.CoepInterceptor"/>
Review comment:
As you've already defined and added it to `struts-default.xml`.`defaultStack` at [here](https://github.com/apache/struts/pull/432/files#diff-710b29900cea21e85893cae43dd08c92) , this duplicate definition is not needed as far as I can remember but please wait if @apache/struts-committers acknowledge as well.
##########
File path: source/core-developers/coop-interceptor.md
##########
@@ -0,0 +1,45 @@
+---
+layout: default
+title: COOP Interceptor
+parent:
+ title: Interceptors
+ url: interceptors.html
+---
+
+# Fetch Metadata Interceptor
+
+## Description
+
+Interceptor that implements Cross-Origin Opener Policy on incoming requests.
+
+COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. The COOP response header allows a document to request a new browsing context group to better isolate itself from other untrustworthy origins. Separating browsing contexts is necessary because at least two types of attacks are possible when a document shares a browsing context group and possibly an operating system process with cross-origin documents:
+
+- Cross-window attacks. A malicious document can open a victim document in a new window and later navigate the window to a look-alike document to trick the user, or attempt to exploit postMessage vulnerabilities in the victim document.
+- Process-wide attacks. Side channel and transient execution attacks like Spectre may provide an opportunity to the malicious document to get access to sensitive data from the victim document, if they share an OS process.
+
+The COOP header can have one of 3 values: `same-origin`, `same-origin-allow-popups`, `unsafe-none`. If the COOP values are the same, and the origins of the documents match the relationship declared in the COOP header value, documents can interact with each other. Otherwise if at least one of the documents sets COOP, the browser will create a new browsing context group severing the link between the documents. Sites can use `same-origin-allow-popups` to allow popups they open to be in their browsing context group (unless the popup's own COOP prevents this).
+
+COOP is now supported by all major browsers.
+
+
+[More information about COOP](https://web.dev/why-coop-coep/#coop).
+
+## Parameters
+
+- `exemptedPaths` - Set of opt out endpoints that are meant to serve cross-site traffic. Paths should contain leading slashes and must be relative. This field is empty by default.
+- `mode` - The policy mode COOP should follow. Available modes are `same-origin`, `same-origin-allow-popups`, `unsafe-none`. Default mode is `same-origin`.
+
+## Examples
+
+```xml
+<interceptor name="coop" class="org.apache.struts2.interceptor.CoopInterceptor"/>
+
+<action name="someAction" class="com.examples.SomeAction">
+ <interceptor-ref name="defaultStack">
+ <interceptor-ref name="coop">
Review comment:
(similar here)
##########
File path: source/core-developers/fetch-metadata-interceptor.md
##########
@@ -0,0 +1,42 @@
+---
+layout: default
+title: Fetch Metadata Interceptor
+parent:
+ title: Interceptors
+ url: interceptors.html
+---
+
+# Fetch Metadata Interceptor
+
+## Description
+
+An interceptor that implements Fetch Metadata on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks. Uses a default Resource Isolation Policy to programmatically reject cross-origin requests.
+
+A Resource Isolation Policy is a strong defense in-depth mechanism that prevents the resources on a server from being requested by external websites. This policy can be enabled either for all endpoints of the application and endpoints that are meant to be loaded in a cross-site context can be exempted from the policy.
+
+The browser provides information about the context of an HTTP request in a set of `Sec-Fetch-*` headers. This allows the server processing the request to make decisions on whether the request should be accepted or rejected based on the preferred resource isolation policy. Struts provides a default Resource Isolation Policy that rejects cross-origin requests that aren't top level navigations.
+
+```
+Sec-Fetch-Site == 'cross-site' AND (Sec-Fetch-Mode != 'navigate'/'nested-navigate' OR method NOT IN [GET, HEAD])
+```
+
+Refer to [Implementing a Resource Isolation Policy](https://web.dev/fetch-metadata/#implementing-a-resource-isolation-policy) for further information on implementing effective Resource Isolation Policies.
+Fetch Metadata is supported in all major browsers
+
+## Parameters
+
+- `exemptedPaths` - Set of opt out endpoints that are meant to serve cross-site traffic. Paths should contain leading slashes and must be relative. This field is empty by default.
+
+## Examples
+
+```xml
+<interceptor name="fetchMetadata" class="org.apache.struts2.interceptor.FetchMetadataInterceptor"/>
+
+<action name="someAction" class="com.examples.SomeAction">
+ <interceptor-ref name="defaultStack">
+ <interceptor-ref name="fetchMetadata">
Review comment:
(similar here)
##########
File path: source/core-developers/coep-interceptor.md
##########
@@ -0,0 +1,43 @@
+---
+layout: default
+title: COEP Interceptor
+parent:
+ title: Interceptors
+ url: interceptors.html
+---
+
+# Fetch Metadata Interceptor
+
+## Description
+
+Interceptor that implements Cross-Origin Embedder Policy on incoming requests.
+
+COEP prevents the document from loading any framed documents which don't opt-in by setting the COEP header. (`Cross-Origin-Embedder-Policy: require-corp`). This provides protection for documents that don't restrict framing. A document that doesn't set COEP cannot be framed by another document with COEP. All descendents of a document with COEP will also enforce the same restrictions.
+
+COEP is now supported by all major browsers.
+
+
+
+[More information about COEP](https://web.dev/why-coop-coep/#coep).
+
+## Parameters
+
+- `exemptedPaths` - Set of opt out endpoints that are meant to serve cross-site traffic. Paths should contain leading slashes and must be relative. This field is empty by default.
+- `enforcingMode` - Boolean variable allowing the user to let COEP operate in `enforcing`, which blocks both resource and reports violations, or `report-only` mode, which only reports violations. Default value for field is `false`.
+- `disabled` - Boolean variable disabling and enabling COEP. Default value for field is `false`.
+
+## Examples
+
+```xml
+<interceptor name="coep" class="org.apache.struts2.interceptor.CoepInterceptor"/>
+
+<action name="someAction" class="com.examples.SomeAction">
+ <interceptor-ref name="defaultStack">
Review comment:
Same here. I think it should be something like:
```xml
<action name="someAction" class="com.examples.SomeAction">
<interceptor-ref name="defaultStack">
<param name="coepInterceptor.exemptedPaths">...
.
.
.
</interceptor-ref>
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] gchatz22 edited a comment on pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
gchatz22 edited a comment on pull request #149:
URL: https://github.com/apache/struts-site/pull/149#issuecomment-682771689
Thank you for your comments @yasserzamani ! Applied your changes and as said will also be waiting for @apache/struts-committers opinion
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts-site] lukaszlenart commented on pull request #149: Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy
Posted by GitBox <gi...@apache.org>.
lukaszlenart commented on pull request #149:
URL: https://github.com/apache/struts-site/pull/149#issuecomment-688051754
LGTM 👍
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org