[jira] [Resolved] (WW-5084) Content Security Policy support
[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart resolved WW-5084. --- Resolution: Fixed > Content Security Policy support > --- > > Key: WW-5084 > URL: https://issues.apache.org/jira/browse/WW-5084 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors, Core Tags >Affects Versions: 6.0.0 >Reporter: Santiago Diaz >Priority: Major > Fix For: 6.0.0 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > We'd like to add built-in Content Security Policy support to Struts2 to > provide a major security mechanism that developers can use to protect against > common Cross-Site Scripting vulnerabilities. Developers will have the ability > to enable CSP in report-only or enforcement mode. > We will provide an out of the box tag that can be used by developers to > use/import scripts in their web applications, so that these will > automatically get nonces that are compatible with their Content Security > policies. > Finally, we will provide a built-in handler for CSP violation reports that > will be used to collect and provide textual explanations of these reports. > This endpoint will be used by developers to debug CSP violations and locate > pieces of code that need to be refactored to support strong policies. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (WW-5084) Content Security Policy support
[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart resolved WW-5084. --- Resolution: Fixed > Content Security Policy support > --- > > Key: WW-5084 > URL: https://issues.apache.org/jira/browse/WW-5084 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors, Core Tags >Affects Versions: 2.6 >Reporter: Santiago Diaz >Priority: Major > Fix For: 2.6 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > We'd like to add built-in Content Security Policy support to Struts2 to > provide a major security mechanism that developers can use to protect against > common Cross-Site Scripting vulnerabilities. Developers will have the ability > to enable CSP in report-only or enforcement mode. > We will provide an out of the box tag that can be used by developers to > use/import scripts in their web applications, so that these will > automatically get nonces that are compatible with their Content Security > policies. > Finally, we will provide a built-in handler for CSP violation reports that > will be used to collect and provide textual explanations of these reports. > This endpoint will be used by developers to debug CSP violations and locate > pieces of code that need to be refactored to support strong policies. -- This message was sent by Atlassian Jira (v8.3.4#803005)
