[jira] [Work logged] (WW-5083) Fetch Metadata support

Tue, 14 Jul 2020 01:44:36 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5083?focusedWorklogId=458521&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-458521
 ]

ASF GitHub Bot logged work on WW-5083:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 14/Jul/20 08:43
            Start Date: 14/Jul/20 08:43
    Worklog Time Spent: 10m 
      Work Description: salcho opened a new pull request #426:
URL: https://github.com/apache/struts/pull/426


   Hello Struts devs,
   
   This PR builds Fetch Metadata support on for Struts2, namely:
   
   - If a request has `Sec-Fetch-*` headers (i.e. comes from a modern browser), 
the Fetch Metadata Interceptor will reject the request if it is requested 
cross-site (a potential CSRF attack).
   - One default Resource Isolation Policy is provided based on 
https://web.dev/fetch-metadata/, which prevents all major cross-site request 
forgery attacks.
   - This Interceptor gives the ability to add exemptions to this security 
mitigation, that is: URLs that are meant to be accessed cross-site.
   - The Fetch Metadata Interceptor has been added to the default interceptor 
stack.
   - The `Vary` header has been added to responses to ensure that any cached 
responses include Fetch Metadata headers in their key. This is an added layer 
of security against cache poisoning.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 458521)
    Remaining Estimate: 0h
            Time Spent: 10m

> Fetch Metadata support
> ----------------------
>
>                 Key: WW-5083
>                 URL: https://issues.apache.org/jira/browse/WW-5083
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 2.6
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> We'd like to add built-in Fetch Metadata support to Struts2 to provide a 
> simple security mechanism that developers can use to protect against 
> Cross-Site Request Forgery vulnerabilities



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to