Hello Struts devs,
My name is Santiago, I'm a Security Engineer at Google. I am currently making
preparations for this summer's Google internships, where we'd like to
contribute to add security enhancement for a range of open source projects, one
of which is Struts.
We have experience deploying several security mechanisms at scale. We
understand that this is not a trivial process and would like to make it easier
for Struts users to implement strong security policies, find blockers for
deployment, locate pieces of code that need refactoring and set up monitoring
for security violations. We'd be happy to collaborate with you this summer to
make this happen!
We would like to evaluate the feasibility of providing the following
protections in Struts, be it through out of the box interceptors, plugins or
suchlike:
- Protecting against XSS:
- Content Security Policy restricts active content that is allowed to run
in the browser. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- Trusted Types is a great technology for protecting against DOM XSS. There
is a great primer at https://web.dev/trusted-types/
- Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing
attacks through site isolation:
- Fetch Metadata. See
https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript.
- Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/
We envision a world where users can build and deploy security policies for some
of these technologies in Struts!
We are aware of the general contributions guidelines provided by the ASF and
would like to know whether you could give us any further context on whether
this has been attempted before, what issues you've come across generally in
terms of security and whether you have any thoughts on what would be the best
way for us to contribute.
Thank you for reading and I'm looking forward to hearing from you! :)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
