[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration

Wed, 10 Apr 2024 15:46:03 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914041&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914041
 ]

ASF GitHub Bot logged work on WW-5400:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Apr/24 22:45
            Start Date: 10/Apr/24 22:45
    Worklog Time Spent: 10m 
      Work Description: eschulma opened a new pull request, #913:
URL: https://github.com/apache/struts/pull/913

   Previously, it was impossible to set global options for the CSP interceptor. 
The only option was to have every action individually implement 
CspSettingsAware.
   
   To fix this, we add an interceptor parameter of defaultCspSettingsClassName. 
Values from this class will be used in the CSP header instead of 
DefaultCspSettings. Users may define their own custom class which implements 
CspSettings, and that will be the default for all actions that do not implement 
the CspSettingsAware interface. It is now possible to create this custom class 
by simply extending DefaultCspSettings.
   
   I have fixed a spelling error in DefaultCspSettings.java 

Issue Time Tracking
-------------------

            Worklog Id:     (was: 914041)
    Remaining Estimate: 0h
            Time Spent: 10m

> CSP interceptor only allows very limited configuration
> ------------------------------------------------------
>
>                 Key: WW-5400
>                 URL: https://issues.apache.org/jira/browse/WW-5400
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>    Affects Versions: 6.3.0
>            Reporter: Erica Kane
>            Priority: Major
>             Fix For: 6.5.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor 
> provides an elegant solution with the <s:script> and <s:link> tags. However, 
> I want to set my own base-uri. And perhaps make some other changes to the CSP 
> headers.
> But these values are not accessible. Only the report-only and report-uri can 
> be changed. Even if one is willing to work at the Action level and implement 
> a new interface for all of them, I can't change the base-uri. I've seen 
> people on Stack Overflow disable it for this reason. I want to use it, but 
> could someone please explain how to set the base-uri globally? If not, I will 
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the 
> interceptor does it mention the script and link tags, and without those, it 
> is useless!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to