[jira] [Created] (WW-5637) Global Configuration to Disable CSP Interceptor in Struts 2

[Chandru10 (Jira)]

Chandru10 created WW-5637:
-----------------------------

             Summary: Global Configuration to Disable CSP Interceptor in Struts 
2
                 Key: WW-5637
                 URL: https://issues.apache.org/jira/browse/WW-5637
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Interceptors
            Reporter: Chandru10


We are planning to use our own CSP implementation and therefore need to disable 
the default CSP header added by the Struts 2 framework. Currently, there is no 
global mechanism available to disable the CSP interceptor and prevent the 
framework from generating the default CSP header.

The only available approach is to define a custom interceptor stack in 
struts.xml


{code:java}
<package name="custom-default" extends="struts-default">        <interceptors>  
          <interceptor-stack name="customStack">                
<interceptor-ref name="defaultStack">                                   <param 
name="csp.disabled">true</param>                         </interceptor-ref>     
       </interceptor-stack>        </interceptors>               
<default-interceptor-ref name="customStack" />    </package>
 {code}
create separate packages, and ensure all modules use those packages. This 
requires modifications across multiple configuration files and becomes 
difficult to maintain in large applications since we have struts-*.xml multiple 
xml file which extends struts-default package.

 

 

An alternative approach of extending CspSettingsAware (or similar CSP-related 
interfaces/classes) is also not practical, as it would require changes to every 
action class in the application.

 

It would be beneficial to provide a global configuration option (similar to 
existing Struts constants) that allows enabling or disabling the CSP 
interceptor application-wide through struts.xml or struts.properties, for 
example


{code:java}
<constant name="struts.csp.enabled" value="false"/> {code}
 

*Use Case:*
Applications that have their own CSP implementation or are in the process of 
gradually adopting CSP need a simple, centralized way to disable the built-in 
CSP interceptor and its default header generation without extensive 
configuration changes across modules.

Could you please let me know whether providing a global configuration option 
for disabling the CSP interceptor would be feasible? If not, is there any 
recommended workaround that avoids the need for creating custom interceptor 
stacks/packages and making modifications across multiple configuration files or 
action classes?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)