[
https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17163567#comment-17163567
]
Santiago Diaz commented on WW-5084:
-----------------------------------
Hi [~lukaszlenart]!
We'll soon create a PR for this bug and are currently evaluating a couple of
options to solve one last issue we have. Your feedback on this topic would be
very welcome! Here's the situation:
We have implemented an interceptor that adds CSP headers to responses and now
we'd like to collect CSP violation reports - these will be sent to a URI that
is set by the user. When the report URI is a relative path (meaning, reports
will be sent to the this server) we'd like to automatically register a servlet
that corresponds to that URI and processes reports automatically.
Unfortunately, we haven't seen any precedent of this (a piece of code in Struts
that registers an Action and binds it to a URI programmatically). Some options
we've considered are:
* Add an additional interceptor that interrupts the interceptor chain when the
right conditions are met on the request (checks path, content type, etc). This
works but seems a little brittle generally.
* Modify core classes like the ActionMapper to add an action programmatically
in the presence of the CSP interceptor. This is a little intrusive and we
wouldn't want to add dependencies to core code that might not need to be there.
Do you have any suggestions for how you'd approach this design? Any resources
you could point us to?
Thank you!
> Content Security Policy support
> -------------------------------
>
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 2.6
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
>
>
> We'd like to add built-in Content Security Policy support to Struts2 to
> provide a major security mechanism that developers can use to protect against
> common Cross-Site Scripting vulnerabilities. Developers will have the ability
> to enable CSP in report-only or enforcement mode.
> We will provide an out of the box tag that can be used by developers to
> use/import scripts in their web applications, so that these will
> automatically get nonces that are compatible with their Content Security
> policies.
> Finally, we will provide a built-in handler for CSP violation reports that
> will be used to collect and provide textual explanations of these reports.
> This endpoint will be used by developers to debug CSP violations and locate
> pieces of code that need to be refactored to support strong policies.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
