You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by GitBox <gi...@apache.org> on 2020/07/29 07:20:23 UTC
[GitHub] [struts] salcho opened a new pull request #429: WW-5084: Add Content Security Policy support to Struts
salcho opened a new pull request #429:
URL: https://github.com/apache/struts/pull/429
Hello Struts Devs!
This PR adds Content Security Policy support for Struts 2. A very popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.
Here's a summary of these changes:
- Allows users to configure whether CSP is enabled in reporting or enforcement modes and lets them set a report URI, where violation reports will be sent by the browser.
- Implements a CSP Interceptor that generates a nonce-based, strict-dynamic policy and adds it to HTTP responses according to the user's configuration.
- Implements custom JSP and FTL <script> tags. These (`<s:script>` in taglib, for instance) set the nonce attribute on script blocks automatically, so that they match the nonce set in the policy. This feature allows developers to use both existing and new script blocks that are compatible with CSP with minimal refactoring.
- Provides a default implementation of a CSP violation report collection endpoint. This allows developers to see CSP reports as they happen in their logs out of the box, with minimal effort. This behaviour is extensible, so developers can customise the processing of CSP reports.
With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.
Co-authored-by: Ecenaz Jen Ozmen <eo...@columbia.edu>
Co-authored-by: Giannis Chatziveroglou <gi...@google.com>
Co-authored-by: Sal <sa...@gmail.com>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts] salcho commented on pull request #429: WW-5084: Add Content Security Policy support to Struts
Posted by GitBox <gi...@apache.org>.
salcho commented on pull request #429:
URL: https://github.com/apache/struts/pull/429#issuecomment-665061444
Sorry, this PR was based off the wrong branch in our fork and has been replaced by https://github.com/apache/struts/pull/430
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [struts] salcho closed pull request #429: WW-5084: Add Content Security Policy support to Struts
Posted by GitBox <gi...@apache.org>.
salcho closed pull request #429:
URL: https://github.com/apache/struts/pull/429
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org