[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17839004#comment-17839004 ] Erica Kane commented on WW-5400: It seemed the simplest way, this is a parameter in struts.xml. We have never injected any beans there, only via Spring. But if there is a better way, and it's compatible with those of us who Spring to do the wiring, please go ahead. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17838859#comment-17838859 ] Lukasz Lenart commented on WW-5400: --- Why do you want to inject a class name instead of an existing bean? > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837280#comment-17837280 ] Erica Kane commented on WW-5400: [~lukaszlenart] I've made the requested code changes. Please see my comments regarding the injection option. You know that better than I do for Struts, I just want to be sure that the default settings class name is treated as a String parameter into the interceptor. My code was designed to make that clear. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835911#comment-17835911 ] Erica Kane commented on WW-5400: Also the documentation should be updated, once live, or no one will know how to use this. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835910#comment-17835910 ] Erica Kane commented on WW-5400: [~lukaszlenart] I have submitted a pull request for my changes (username eschulma). Enjoy! > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17830732#comment-17830732 ] Erica Kane commented on WW-5400: Hi Lukasz, yes, our version is live in production. I am on spring break -- hope to revise for submission to you in mid-April. On Sun, 24 Mar 2024 08:05:00 + (UTC) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17830216#comment-17830216 ] Lukasz Lenart commented on WW-5400: --- [~ekane] any update? > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824622#comment-17824622 ] Lukasz Lenart commented on WW-5400: --- [~ekane] any change coming from users is the most welcome one :) I see you point and we can build a set of layers that can be used: framework wide settings, stack/interceptor params and finally action based options (like the Aware interface) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824535#comment-17824535 ] Erica Kane commented on WW-5400: I already wrote this for our company, so I will go ahead and make a pull request. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824059#comment-17824059 ] Erica Kane commented on WW-5400: The addCspHeaders is singular, which is good. But I still don't want to put a custom CspSettings in separately for each and every action in my app. Would it make sense for me to add a parameter defaultCspSettingsClass that could be set at the stack level? If you approve, I am willing to make a pull request for that. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824024#comment-17824024 ] Erica Kane commented on WW-5400: Lukasz I will certainly give that a try. I interpreted `addCspHeaders` as actually adding an additional HTTP header, which would not be the desired behavior. Perhaps that assumption was incorrect. I will test it. But even if that works – forcing every single action in my app to implement this interface is hardly desirable. I use `base-uri` on every page. And there are many, many other CSP headers that are valuable. I believe that what I would be looking for is a way to replace the `DefaultCspSettings` class at an app-wide level, and I did not see that in the source code. If there is a way to do it please let me know! > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823867#comment-17823867 ] Lukasz Lenart commented on WW-5400: --- Not sure if I understand the requirements. Currently (since Struts 6.2.0) you can use {{CspSettingsAware}} interface on your action to implement custom behaviour and you have full control over {{base-uri}} in such case (via {{addCspHeaders}}). What else do you need? I encourage you to prepare a PR then it will be easier to discuss the changes. > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.4.0 > > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)