[
https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17164296#comment-17164296
]
Santiago Diaz commented on WW-5084:
-----------------------------------
Sure. Reporting is two-fold: First, the Content Security Policy header must
define a report-to field that points to a URL (say, {{report-to /cspreports}}).
Whenever the browser creates a violation report, if the report-to directive is
defined in the policy, it will be sent to that URL. Then, than URL should be
active and listening for incoming reports through an Action.
What we wanted to do was let the user specify the value for the report-to field
(which is a parameter to the CSP interceptor) and automatically set up an
Action for that URL, so that enabling the CSP interceptor would also enable the
reporting endpoint automatically. But because this isn't easy to do, the final
implementation would require users to not only configure the CSP interceptor
through the regular interceptor stack, but also set up an action that points to
a class we provide, so config would often look something along the lines of:
{{<action name="cspreports" class="org.apache.struts2.action.CspReportHandler"
method="execute">}}
{{ <result name="success">/ReportReceived.jsp</result>}}
{{</action>}}
{{...}}
{{ <interceptor-ref name="cspInterceptor">}}
{{ <param name="enforcingMode">false</param>}}
{{ <param name="reportUri">/cspreports</param>}}
{{ </interceptor-ref>}}
> Content Security Policy support
> -------------------------------
>
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 2.6
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
>
>
> We'd like to add built-in Content Security Policy support to Struts2 to
> provide a major security mechanism that developers can use to protect against
> common Cross-Site Scripting vulnerabilities. Developers will have the ability
> to enable CSP in report-only or enforcement mode.
> We will provide an out of the box tag that can be used by developers to
> use/import scripts in their web applications, so that these will
> automatically get nonces that are compatible with their Content Security
> policies.
> Finally, we will provide a built-in handler for CSP violation reports that
> will be used to collect and provide textual explanations of these reports.
> This endpoint will be used by developers to debug CSP violations and locate
> pieces of code that need to be refactored to support strong policies.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
