[jira] [Commented] (WW-5638) Clarification on CSP Header Processing and PreResultListener Behavior

Fri, 26 Jun 2026 00:51:09 -0700 


    [ 
https://issues.apache.org/jira/browse/WW-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091773#comment-18091773
 ] 

Lukasz Lenart commented on WW-5638:
-----------------------------------

It's better to ask such questions on the Developers Mailing List, it gets 
brought attention -> [https://struts.apache.org/dev-mail.html]

Case 1 - I would assume this should be extended to all the responses (maybe 
except stream result)

Case 2 - Only Struts should manage the headers, not some Service, if there is a 
need to have a custom logic, it should be exposed via a *Aware interface - 
similar to 
[CspSettingsAware.java|https://github.com/apache/struts/blob/main/core/src/main/java/org/apache/struts2/action/CspSettingsAware.java]

> Clarification on CSP Header Processing and PreResultListener Behavior
> ---------------------------------------------------------------------
>
>                 Key: WW-5638
>                 URL: https://issues.apache.org/jira/browse/WW-5638
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>            Reporter: Chan
>            Priority: Minor
>              Labels: Clarification
>
> While evaluating the Struts CSP support I had a couple of questions regarding 
> the current implementation.
> From my understanding the CSP interceptor registers a PreResultListener and 
> the CSP header is added only when Struts processes the result.I wanted to 
> clarify whether the following scenarios are expected:
> *Case 1 – Response already committed:*
> If an action writes to the response and explicitly flushes or commits it 
> before Struts processes the result, the response is already committed when 
> the PreResultListener executes. In this case the default struts framework CSP 
> header cannot be added.
> Is this considered an expected limitation of the current implementation? If 
> the objective of the CSP feature is to secure all responses should this 
> scenario be handled differently or documented as a limitation?
>  
> *Case 2 – Response already contains a CSP header:*
> Before Struts processes the action result, consider a scenario where Service 
> A internally calls Service B, and the response from Service B is directly 
> processed for the client. During its processing Service B may append its own 
> CSP header based on its requirements. Later, when the Struts 
> PreResultListener is invoked, it appears that Struts replaces the CSP header 
> that was already set by Service B.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to