[
https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Santiago Diaz updated WW-5084:
------------------------------
Description:
We'd like to add built-in Content Security Policy support to Struts2 to provide
a major security mechanism that developers can use to protect against common
Cross-Site Scripting vulnerabilities. Developers will have the ability to
enable CSP in report-only or enforcement mode.
We will provide an out of the box tag that can be used by developers to
use/import scripts in their web applications, so that these will automatically
get nonces that are compatible with their Content Security policies.
Finally, we will provide a built-in handler for CSP violation reports that will
be used to collect and provide textual explanations of these reports. This
endpoint will be used by developers to debug CSP violations and locate pieces
of code that need to be refactored to support strong policies.
was:
We'd like to add built-in Content Security Policy support to Struts2 to provide
a major security mechanism that developers can use to protect against common
Cross-Site Scripting vulnerabilities. Developers will have the ability to
enable CSP in report-only or enforcement mode.
We will provide an out of the box tag that can be used by developers to
use/import scripts in their web applications, so that these will automatically
get nonces that are compatible with their Content Security Policy policies.
Finally, we will provide a built-in handler for CSP violation reports that will
be used to collect and provide textual explanations of these reports. This
endpoint will be used by developers to debug CSP violations and locate pieces
of code that need to be refactored to support strong policies.
> Content Security Policy support
> -------------------------------
>
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 2.6
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
>
>
> We'd like to add built-in Content Security Policy support to Struts2 to
> provide a major security mechanism that developers can use to protect against
> common Cross-Site Scripting vulnerabilities. Developers will have the ability
> to enable CSP in report-only or enforcement mode.
> We will provide an out of the box tag that can be used by developers to
> use/import scripts in their web applications, so that these will
> automatically get nonces that are compatible with their Content Security
> policies.
> Finally, we will provide a built-in handler for CSP violation reports that
> will be used to collect and provide textual explanations of these reports.
> This endpoint will be used by developers to debug CSP violations and locate
> pieces of code that need to be refactored to support strong policies.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
