[
https://issues.apache.org/jira/browse/WW-5637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091210#comment-18091210
]
Chan commented on WW-5637:
--------------------------
[~lukaszlenart]
Just for clarification I recently started exploring the ASF Struts 2 project.
Would it be possible for me to contribute this change?
It would be great if there is any documentation available for new contributors.
I'm looking for documentation that explains the project structure, how the
framework is maintained, the development workflow, and the steps required to
contribute changes.
> Global Configuration to Disable CSP Interceptor in Struts 2
> -----------------------------------------------------------
>
> Key: WW-5637
> URL: https://issues.apache.org/jira/browse/WW-5637
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: Chan
> Priority: Major
> Fix For: 7.3.0
>
>
> We are planning to use our own CSP implementation and therefore need to
> disable the default CSP header added by the Struts 2 framework. Currently,
> there is no global mechanism available to disable the CSP interceptor and
> prevent the framework from generating the default CSP header.
> The only available approach is to define a custom interceptor stack in
> struts.xml
> {code:java}
> <package name="custom-default" extends="struts-default">
> <interceptors> <interceptor-stack name="customStack">
> <interceptor-ref name="defaultStack">
> <param name="csp.disabled">true</param>
> </interceptor-ref> </interceptor-stack> </interceptors>
> <default-interceptor-ref name="customStack" /> </package>
> {code}
> create separate packages, and ensure all modules use those packages. This
> requires modifications across multiple configuration files and becomes
> difficult to maintain in large applications since we have struts-*.xml
> multiple xml file which extends struts-default package.
>
>
> An alternative approach of extending CspSettingsAware (or similar CSP-related
> interfaces/classes) is also not practical, as it would require changes to
> every action class in the application.
>
> It would be beneficial to provide a global configuration option (similar to
> existing Struts constants) that allows enabling or disabling the CSP
> interceptor application-wide through struts.xml or struts.properties, for
> example
> {code:java}
> <constant name="struts.csp.enabled" value="false"/> {code}
>
> *Use Case:*
> Applications that have their own CSP implementation or are in the process of
> gradually adopting CSP need a simple, centralized way to disable the built-in
> CSP interceptor and its default header generation without extensive
> configuration changes across modules.
> Could you please let me know whether providing a global configuration option
> for disabling the CSP interceptor would be feasible? If not, is there any
> recommended workaround that avoids the need for creating custom interceptor
> stacks/packages and making modifications across multiple configuration files
> or action classes?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
