[
https://issues.apache.org/jira/browse/WW-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-5638:
------------------------------
Fix Version/s: 7.2.1
> Clarification on CSP Header Processing and PreResultListener Behavior
> ---------------------------------------------------------------------
>
> Key: WW-5638
> URL: https://issues.apache.org/jira/browse/WW-5638
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: Chan
> Priority: Minor
> Labels: Clarification
> Fix For: 7.2.1
>
>
> While evaluating the Struts CSP support I had a couple of questions regarding
> the current implementation.
> From my understanding the CSP interceptor registers a PreResultListener and
> the CSP header is added only when Struts processes the result.I wanted to
> clarify whether the following scenarios are expected:
> *Case 1 – Response already committed:*
> If an action writes to the response and explicitly flushes or commits it
> before Struts processes the result, the response is already committed when
> the PreResultListener executes. In this case the default struts framework CSP
> header cannot be added.
> Is this considered an expected limitation of the current implementation? If
> the objective of the CSP feature is to secure all responses should this
> scenario be handled differently or documented as a limitation?
>
> *Case 2 – Response already contains a CSP header:*
> Before Struts processes the action result, consider a scenario where Service
> A internally calls Service B, and the response from Service B is directly
> processed for the client. During its processing Service B may append its own
> CSP header based on its requirements. Later, when the Struts
> PreResultListener is invoked, it appears that Struts replaces the CSP header
> that was already set by Service B.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
