[
https://issues.apache.org/jira/browse/WW-5637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-5637:
------------------------------
Fix Version/s: 7.3.0
> Global Configuration to Disable CSP Interceptor in Struts 2
> -----------------------------------------------------------
>
> Key: WW-5637
> URL: https://issues.apache.org/jira/browse/WW-5637
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: Chandru10
> Priority: Major
> Fix For: 7.3.0
>
>
> We are planning to use our own CSP implementation and therefore need to
> disable the default CSP header added by the Struts 2 framework. Currently,
> there is no global mechanism available to disable the CSP interceptor and
> prevent the framework from generating the default CSP header.
> The only available approach is to define a custom interceptor stack in
> struts.xml
> {code:java}
> <package name="custom-default" extends="struts-default">
> <interceptors> <interceptor-stack name="customStack">
> <interceptor-ref name="defaultStack">
> <param name="csp.disabled">true</param>
> </interceptor-ref> </interceptor-stack> </interceptors>
> <default-interceptor-ref name="customStack" /> </package>
> {code}
> create separate packages, and ensure all modules use those packages. This
> requires modifications across multiple configuration files and becomes
> difficult to maintain in large applications since we have struts-*.xml
> multiple xml file which extends struts-default package.
>
>
> An alternative approach of extending CspSettingsAware (or similar CSP-related
> interfaces/classes) is also not practical, as it would require changes to
> every action class in the application.
>
> It would be beneficial to provide a global configuration option (similar to
> existing Struts constants) that allows enabling or disabling the CSP
> interceptor application-wide through struts.xml or struts.properties, for
> example
> {code:java}
> <constant name="struts.csp.enabled" value="false"/> {code}
>
> *Use Case:*
> Applications that have their own CSP implementation or are in the process of
> gradually adopting CSP need a simple, centralized way to disable the built-in
> CSP interceptor and its default header generation without extensive
> configuration changes across modules.
> Could you please let me know whether providing a global configuration option
> for disabling the CSP interceptor would be feasible? If not, is there any
> recommended workaround that avoids the need for creating custom interceptor
> stacks/packages and making modifications across multiple configuration files
> or action classes?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
