Hello Struts devs, My name is Santiago, I'm a Security Engineer at Google. I am currently making preparations for this summer's Google internships, where we'd like to contribute to add security enhancement for a range of open source projects, one of which is Struts.
We have experience deploying several security mechanisms at scale. We understand that this is not a trivial process and would like to make it easier for Struts users to implement strong security policies, find blockers for deployment, locate pieces of code that need refactoring and set up monitoring for security violations. We'd be happy to collaborate with you this summer to make this happen! We would like to evaluate the feasibility of providing the following protections in Struts, be it through out of the box interceptors, plugins or suchlike: - Protecting against XSS: - Content Security Policy restricts active content that is allowed to run in the browser. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP - Trusted Types is a great technology for protecting against DOM XSS. There is a great primer at https://web.dev/trusted-types/ - Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing attacks through site isolation: - Fetch Metadata. See https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript. - Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/ We envision a world where users can build and deploy security policies for some of these technologies in Struts! We are aware of the general contributions guidelines provided by the ASF and would like to know whether you could give us any further context on whether this has been attempted before, what issues you've come across generally in terms of security and whether you have any thoughts on what would be the best way for us to contribute. Thank you for reading and I'm looking forward to hearing from you! :) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org