On 14/02/18 11:51, Harrison & Wells wrote: > Sorry to disturb you. Not at all.
> I read the Contributing.md > <https://github.com/apache/tomcat/blob/trunk/CONTRIBUTING.md> on your > github mirror and even found the beginner issues > <https://bz.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&keywords=Beginner&keywords_type=allwords&list_id=160824&product=Tomcat%207&product=Tomcat%208&product=Tomcat%209&query_format=advanced> > . > Except there are only three of them, out of which one is already solved, > one is a case of XML validation (not a bug, technically) and one can be > solved using a filter. > <https://bz.apache.org/bugzilla/show_bug.cgi?id=58837> > So I decided I could go with the filter one but man, CSP is complex and I > don't think one could just do a general 'default-src' because even that can > be pretty tight. > So it is a bit unclear. > Thanks for reading. > I'd appreciate any help in getting started. I agree with you completely regarding the complexity of CSP. I'm not convinced that a CSP specific filter is possible. Igal's suggestion in comment #6 is probably the way to go. A generic HTTP header filter. I'd look at httpd's mod_headers module for inspiration for the sort of features a generic HTTP header filter should provide. I don't think the first iteration needs to completely cover all of the mod_headers functionality (adding headers to the response is probably enough at this point) but having the eventual functionality in mind will ensure that configuration parameters (likely filter parameters in this case) are chosen appropriately. HTH, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org