gchatz22 opened a new pull request #432: URL: https://github.com/apache/struts/pull/432
Hello Struts Devs! This PR adds Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) support for Struts2. Two very popular mitigations that aim to make a website cross-origin isolated. COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. COEP prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. Both COOP and COEP require adding headers to the response object. COOP and COEP are independent mechanisms and they can be enabled, tested and deployed separately. Using COEP and COOP together allows developers to safely use powerful features such as `SharedArrayBuffer`, `performance.measureMemory()`, and the JS Self-Profiling API. COOP and COEP are now supported by all major browsers. See https://web.dev/why-coop-coep/ for reference. Here's a summary of the changes made: - We created 2 new interceptors, the `CoopInterceptor` and `CoepInterceptor`, that handle adding the response headers for the respective security mitigation. Both were added in the default stack of `struts-default.xml` - Using the `CoopInterceptor`, developers have the ability to choose the policy they want COOP to operate with (`same-origin`, `same-origin-allow-popups`, or `unsafe-none`), set to `same-origin` by default. An exception is thrown if another policy other than the specified 3 is chosen by the developer - Using the `CoepInterceptor`, developers have the ability to choose between the two modes they want COEP to operate under: enforcing mode (header set as `Cross-Origin-Embedder-Policy`) which blocks resources and reports violation, and reporting mode (header set as `Cross-Origin-Embedder-Policy-Report-Only`) which only reports the violation without blocking resources. - For both interceptors, developers are able to add exempted paths for which the chosen policy will not be applied to them In `struts-default.xml' here is how developers can customize the interceptors: ``` <interceptor-ref name="coopInterceptor"> <param name="exemptedPaths">path1,path2</param> <param name="mode">same-origin</param> </interceptor-ref> <interceptor-ref name="coepInterceptor"> <param name="enforcingMode">false</param> <param name="disabled">false</param> <param name="exemptedPaths">path1,path2</param> </interceptor-ref> ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
