Chan created WW-5638:
------------------------
Summary: Clarification on CSP Header Processing and
PreResultListener Behavior
Key: WW-5638
URL: https://issues.apache.org/jira/browse/WW-5638
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: Chan
While evaluating the Struts CSP support I had a couple of questions regarding
the current implementation.
>From my understanding the CSP interceptor registers a PreResultListener and
>the CSP header is added only when Struts processes the result.I wanted to
>clarify whether the following scenarios are expected:
*Case 1 – Response already committed:*
If an action writes to the response and explicitly flushes or commits it before
Struts processes the result, the response is already committed when the
PreResultListener executes. In this case the default struts framework CSP
header cannot be added.
Is this considered an expected limitation of the current implementation? If the
objective of the CSP feature is to secure all responses should this scenario be
handled differently or documented as a limitation?
*Case 2 – Response already contains a CSP header:*
Before Struts processes the action result, consider a scenario where Service A
internally calls Service B, and the response from Service B is directly
processed for the client. During its processing Service B may append its own
CSP header based on its requirements. Later, when the Struts PreResultListener
is invoked, it appears that Struts replaces the CSP header that was already set
by Service B.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
