[WW-5084] Content Security Policy support - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 6.0.0
Fix Version/s: 6.0.0
Component/s: Core Interceptors, Core Tags
Labels:
None

Description

We'd like to add built-in Content Security Policy support to Struts2 to provide a major security mechanism that developers can use to protect against common Cross-Site Scripting vulnerabilities. Developers will have the ability to enable CSP in report-only or enforcement mode.

We will provide an out of the box tag that can be used by developers to use/import scripts in their web applications, so that these will automatically get nonces that are compatible with their Content Security policies.

Finally, we will provide a built-in handler for CSP violation reports that will be used to collect and provide textual explanations of these reports. This endpoint will be used by developers to debug CSP violations and locate pieces of code that need to be refactored to support strong policies.

Attachments

Issue Links

causes

WW-5297 Decorator not working after invalidating session

Resolved

links to

GitHub Pull Request #429

GitHub Pull Request #430

Activity

People

Assignee:: Unassigned

Reporter:: Santiago Diaz

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 21/Jul/20 13:17

Updated:: 30/Aug/24 11:35

Resolved:: 10/Nov/22 06:30

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

5.5h