salcho opened a new pull request #426: URL: https://github.com/apache/struts/pull/426
Hello Struts devs, This PR builds Fetch Metadata support on for Struts2, namely: - If a request has `Sec-Fetch-*` headers (i.e. comes from a modern browser), the Fetch Metadata Interceptor will reject the request if it is requested cross-site (a potential CSRF attack). - One default Resource Isolation Policy is provided based on https://web.dev/fetch-metadata/, which prevents all major cross-site request forgery attacks. - This Interceptor gives the ability to add exemptions to this security mitigation, that is: URLs that are meant to be accessed cross-site. - The Fetch Metadata Interceptor has been added to the default interceptor stack. - The `Vary` header has been added to responses to ensure that any cached responses include Fetch Metadata headers in their key. This is an added layer of security against cache poisoning. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
