[
https://issues.apache.org/jira/browse/WW-5083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17178192#comment-17178192
]
ASF subversion and git services commented on WW-5083:
-----------------------------------------------------
Commit f386e8990c5575bf8b998cb875e18013c0959fc3 in struts's branch
refs/heads/master from JCgH4164838Gh792C124B5
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=f386e89 ]
WW-5083 PR#426 follow-up.
- Updated ResourceIsolationPolicy Sec-Fetch* header cases to match spec.
- Added the Sec-Fetch-User header, plus additional dest/site/mode values
from the spec.
- Renamed ResourceIsolationPolicy interface constants to follow the naming
convention that was already present.
- Made StrutsResourceIsolationPolicy checks case-insensitive (even if
specification says things should be case-sensitive) to better handle
client bugs that will likely occur in the future.
- Updated FetchMetaDataInterceport to use more standard LOG reference name,
parameterization and call forms seen in other Struts 2 Interceptors.
- Including the Sec-Fetch-User in the Vary resonse header.
- Make setExemptedPaths an injectable method (but not required).
- Updated unit test to use more of the constants, added test confirming
the Vary header replacement.
- A few whitespace changes and JavaDoc additions, including reference
to the W3C specification site.
> Fetch Metadata support
> ----------------------
>
> Key: WW-5083
> URL: https://issues.apache.org/jira/browse/WW-5083
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 2.6
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> We'd like to add built-in Fetch Metadata support to Struts2 to provide a
> simple security mechanism that developers can use to protect against
> Cross-Site Request Forgery vulnerabilities
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
