[ https://issues.apache.org/jira/browse/WW-5084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631437#comment-17631437 ]
Takashi Mori commented on WW-5084: ---------------------------------- Hi [~saldiaz] , sorry, this may sounds very basic.. It seems by default Content-Security-Policy-Report-Only is enabled on http response tag if i include use defaultStack intercepter. Would you help to advise how to disable it ? Also, how to enforce CSP (not report only) ? as it seems there is way to switch mode as the following. * Allows users to configure whether CSP is enabled in reporting or enforcement modes and lets them set a report URI, where violation reports will be sent by the browser. Thanks for your help in advance. > Content Security Policy support > ------------------------------- > > Key: WW-5084 > URL: https://issues.apache.org/jira/browse/WW-5084 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors, Core Tags > Affects Versions: 6.0.0 > Reporter: Santiago Diaz > Priority: Major > Fix For: 6.0.0 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > We'd like to add built-in Content Security Policy support to Struts2 to > provide a major security mechanism that developers can use to protect against > common Cross-Site Scripting vulnerabilities. Developers will have the ability > to enable CSP in report-only or enforcement mode. > We will provide an out of the box tag that can be used by developers to > use/import scripts in their web applications, so that these will > automatically get nonces that are compatible with their Content Security > policies. > Finally, we will provide a built-in handler for CSP violation reports that > will be used to collect and provide textual explanations of these reports. > This endpoint will be used by developers to debug CSP violations and locate > pieces of code that need to be refactored to support strong policies. -- This message was sent by Atlassian Jira (v8.20.10#820010)