[
https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Bailey updated SLING-7760:
Description:
The ability to set headers must be done prior to any writing that occurs the
output stream. This is the reason why the headers are set to be configured in
the Sling Main Servlet.
With Sling being used to maintain multiple sites, having a single set of
response headers creates problems where the header provides a non tailored
response. One site may have a conflicting set of requirements then another site.
If the setting of headers was moved from being a configuration to being a
service used by the Main Servlet, this would allow the following:
* Headers set on a per site basis
* Headers based on selected resource
* Ability to modify the headers without causing the restart of the Sling Main
Servlet
** Which if you're dealing with CSP headers can be a constant pain
* Ability to create a CSP configuration Service that eases the use of CSP
creation
was:
Currently, for us to set the global response headers we need to add these to
the Sling Main Servlet.
The problem with this is
* Any changes to the Sling Main Servlet ends up with the service restarting.
This has a negative overall effect to the environment
* We run multiple domains out of a single instance. For a
Content-Security-Header we end up putting in exemptions that should apply to
one site for all sites. This is problematic from a security perspective
Ideally we would be able to configure headers based on the domain that's being
requested
> Sling Main Servlet - Change header configuration to a service
> -
>
> Key: SLING-7760
> URL: https://issues.apache.org/jira/browse/SLING-7760
> Project: Sling
> Issue Type: Improvement
>Reporter: Jason E Bailey
>Assignee: Jason E Bailey
>Priority: Major
>
> The ability to set headers must be done prior to any writing that occurs the
> output stream. This is the reason why the headers are set to be configured in
> the Sling Main Servlet.
> With Sling being used to maintain multiple sites, having a single set of
> response headers creates problems where the header provides a non tailored
> response. One site may have a conflicting set of requirements then another
> site.
> If the setting of headers was moved from being a configuration to being a
> service used by the Main Servlet, this would allow the following:
> * Headers set on a per site basis
> * Headers based on selected resource
> * Ability to modify the headers without causing the restart of the Sling
> Main Servlet
> ** Which if you're dealing with CSP headers can be a constant pain
> * Ability to create a CSP configuration Service that eases the use of CSP
> creation
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
