You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Takashi Mori (Jira)" <ji...@apache.org> on 2022/11/10 04:01:00 UTC

[jira] [Commented] (WW-5084) Content Security Policy support

    [ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631437#comment-17631437 ] 

Takashi Mori commented on WW-5084:
----------------------------------

Hi [~saldiaz] ,

sorry, this may sounds very basic..

It seems by default Content-Security-Policy-Report-Only is enabled on http response tag if i include use defaultStack intercepter.

Would you help to advise how to disable it  ?  Also, how to enforce CSP (not report only) ?  as it seems there is way to switch mode as the following.
 * Allows users to configure whether CSP is enabled in reporting or enforcement modes and lets them set a report URI, where violation reports will be sent by the browser.

Thanks for your help in advance.

> Content Security Policy support
> -------------------------------
>
>                 Key: WW-5084
>                 URL: https://issues.apache.org/jira/browse/WW-5084
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors, Core Tags
>    Affects Versions: 6.0.0
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 6.0.0
>
>          Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> We'd like to add built-in Content Security Policy support to Struts2 to provide a major security mechanism that developers can use to protect against common Cross-Site Scripting vulnerabilities. Developers will have the ability to enable CSP in report-only or enforcement mode.
> We will provide an out of the box tag that can be used by developers to use/import scripts in their web applications, so that these will automatically get nonces that are compatible with their Content Security policies.
> Finally, we will provide a built-in handler for CSP violation reports that will be used to collect and provide textual explanations of these reports. This endpoint will be used by developers to debug CSP violations and locate pieces of code that need to be refactored to support strong policies.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)