[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17164247#comment-17164247 ]
Santiago Diaz commented on WW-5084: ----------------------------------- Yes, if possible we'd like to register our own Action programmatically at runtime that would be bound to a URI chosen by the user and passed as a parameter to an interceptor. The user wouldn't have to provide anything else apart from the URI. > Content Security Policy support > ------------------------------- > > Key: WW-5084 > URL: https://issues.apache.org/jira/browse/WW-5084 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors, Core Tags > Affects Versions: 2.6 > Reporter: Santiago Diaz > Priority: Major > Fix For: 2.6 > > > We'd like to add built-in Content Security Policy support to Struts2 to > provide a major security mechanism that developers can use to protect against > common Cross-Site Scripting vulnerabilities. Developers will have the ability > to enable CSP in report-only or enforcement mode. > We will provide an out of the box tag that can be used by developers to > use/import scripts in their web applications, so that these will > automatically get nonces that are compatible with their Content Security > policies. > Finally, we will provide a built-in handler for CSP violation reports that > will be used to collect and provide textual explanations of these reports. > This endpoint will be used by developers to debug CSP violations and locate > pieces of code that need to be refactored to support strong policies. -- This message was sent by Atlassian Jira (v8.3.4#803005)