[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187323#comment-17187323 ]
ASF subversion and git services commented on WW-5084: ----------------------------------------------------- Commit 6210afa747a67cabcddd6d72f675ed3d8023bda5 in struts's branch refs/heads/master from Aleksandr Mashchenko [ https://gitbox.apache.org/repos/asf?p=struts.git;h=6210afa ] Merge pull request #430 from salcho/post-ww-5083 WW-5084: Add Content Security Policy support to Struts > Content Security Policy support > ------------------------------- > > Key: WW-5084 > URL: https://issues.apache.org/jira/browse/WW-5084 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors, Core Tags > Affects Versions: 2.6 > Reporter: Santiago Diaz > Priority: Major > Fix For: 2.6 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > We'd like to add built-in Content Security Policy support to Struts2 to > provide a major security mechanism that developers can use to protect against > common Cross-Site Scripting vulnerabilities. Developers will have the ability > to enable CSP in report-only or enforcement mode. > We will provide an out of the box tag that can be used by developers to > use/import scripts in their web applications, so that these will > automatically get nonces that are compatible with their Content Security > policies. > Finally, we will provide a built-in handler for CSP violation reports that > will be used to collect and provide textual explanations of these reports. > This endpoint will be used by developers to debug CSP violations and locate > pieces of code that need to be refactored to support strong policies. -- This message was sent by Atlassian Jira (v8.3.4#803005)