[
https://issues.apache.org/jira/browse/WW-5084?focusedWorklogId=830279&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-830279
]
ASF GitHub Bot logged work on WW-5084:
--------------------------------------
Author: ASF GitHub Bot
Created on: 01/Dec/22 09:25
Start Date: 01/Dec/22 09:25
Worklog Time Spent: 10m
Work Description: TheFergus commented on PR #430:
URL: https://github.com/apache/struts/pull/430#issuecomment-1333470726
@lukaszlenart Hi, for <s: script><s:/script>, if the src of the tags needs
variables, what should I do?
<s:script src="${myUrl}"></s:script>
Issue Time Tracking
-------------------
Worklog Id: (was: 830279)
Time Spent: 5h 20m (was: 5h 10m)
> Content Security Policy support
> -------------------------------
>
> Key: WW-5084
> URL: https://issues.apache.org/jira/browse/WW-5084
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors, Core Tags
> Affects Versions: 6.0.0
> Reporter: Santiago Diaz
> Priority: Major
> Fix For: 6.0.0
>
> Time Spent: 5h 20m
> Remaining Estimate: 0h
>
> We'd like to add built-in Content Security Policy support to Struts2 to
> provide a major security mechanism that developers can use to protect against
> common Cross-Site Scripting vulnerabilities. Developers will have the ability
> to enable CSP in report-only or enforcement mode.
> We will provide an out of the box tag that can be used by developers to
> use/import scripts in their web applications, so that these will
> automatically get nonces that are compatible with their Content Security
> policies.
> Finally, we will provide a built-in handler for CSP violation reports that
> will be used to collect and provide textual explanations of these reports.
> This endpoint will be used by developers to debug CSP violations and locate
> pieces of code that need to be refactored to support strong policies.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
