Security contributions to Struts

Fri, 05 Jun 2020 04:08:26 -0700 

Hello Struts devs,

My name is Santiago, I'm a Security Engineer at Google. I am currently making 
preparations for this summer's Google internships, where we'd like to 
contribute to add security enhancement for a range of open source projects, one 
of which is Struts.

We have experience deploying several security mechanisms at scale. We 
understand that this is not a trivial process and would like to make it easier 
for Struts users to implement strong security policies, find blockers for 
deployment, locate pieces of code that need refactoring and set up monitoring 
for security violations. We'd be happy to collaborate with you this summer to 
make this happen!

We would like to evaluate the feasibility of providing the following 
protections in Struts, be it through out of the box interceptors, plugins or 
suchlike:

- Protecting against XSS:
    - Content Security Policy restricts active content that is allowed to run 
in the browser. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    - Trusted Types is a great technology for protecting against DOM XSS. There 
is a great primer at https://web.dev/trusted-types/

- Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing 
attacks through site isolation:
      - Fetch Metadata. See 
https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript.
      - Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/

We envision a world where users can build and deploy security policies for some 
of these technologies in Struts!

We are aware of the general contributions guidelines provided by the ASF and 
would like to know whether you could give us any further context on whether 
this has been attempted before, what issues you've come across generally in 
terms of security and whether you have any thoughts on what would be the best 
way for us to contribute.

Thank you for reading and I'm looking forward to hearing from you! :)


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to