[jira] [Work logged] (WW-5083) Fetch Metadata support

Fri, 17 Jul 2020 00:50:25 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5083?focusedWorklogId=460140&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-460140
 ]

ASF GitHub Bot logged work on WW-5083:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 17/Jul/20 07:49
            Start Date: 17/Jul/20 07:49
    Worklog Time Spent: 10m 
      Work Description: salcho commented on pull request #426:
URL: https://github.com/apache/struts/pull/426#issuecomment-659935747


   Hi @lukaszlenart , sorry, I couldn't reply to your comment so here's my 
reply:
   
   I think this case is slightly different than usual in that there are two 
outcomes for Fetch Metadata: we **always** register ourselves as a 
`PreResultListener` (line 69) and then we have two possible outcomes: either 
the request is accepted as legitimate (in which case we let the interceptor 
chain continue and eventually our `beforeResult` method called) or we reject 
the request and by doing so interrupt the chain of interceptors. In the latter, 
the `beforeResult` callback is never called, but because we still want to add 
the `Vary` headers, we call it manually to reuse that logic.
   
   If this code is somewhat harder to read, we could extract the logic for 
adding the `Vary` headers into a separate method and call that method 
explicitly in the rejection branch, so that it doesn't look like we're trying 
to do something related to the responsibilities of `PreResultListener`.
   
   What do you think?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 460140)
    Time Spent: 2h 20m  (was: 2h 10m)

> Fetch Metadata support
> ----------------------
>
>                 Key: WW-5083
>                 URL: https://issues.apache.org/jira/browse/WW-5083
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 2.6
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> We'd like to add built-in Fetch Metadata support to Struts2 to provide a 
> simple security mechanism that developers can use to protect against 
> Cross-Site Request Forgery vulnerabilities



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to