Hi, I want to add frame-ancestors 'self' to the HTTP-Headers provided by Struts7 (using enforce-mode)
Unfortunately I do not understand https://struts.apache.org/core-developers/csp-interceptor Neither do I want to replace DefaultCspSettings.class (losing any struts enhancements in future struts versions) in the first place nor did I see how to use CspSettingsAware. I looked into CspInterceptorTest.java: public CspSettings getCspSettings() { DefaultCspSettings settings = new DefaultCspSettings(); settings.setReportUri(reportUri); return settings; } but that did not help to add an entry to the policy. Please give me a hint. If necessary, I would try >> cspSettingsClassName (default to DefaultCspSettings.class) - a full class name implementing CspSettings interface to allow to define a custom CPS settings. << but not quite sure if this means to copy or extend the default class, and not sure how to change my class and how to configure struts.xml. Mail not sent while work in progress: I extended the default class by overriding createPolicyFormat and managed to get it to work with this struts.xml (took me quite a while): <interceptor-ref name="defaultStack"> <param name="csp.enforcingMode">true</param> <param name="csp.cspSettingsClassName">my.FullyQualifiedCspSettingsClass</param> </interceptor-ref> These are the warnings in firefox developer tools: Content-Security-Policy: Ignorieren von "http:" innerhalb script-src: 'strict-dynamic' angegeben (my translation: "http:" within script-src ignored: 'strict-dynamic' specified.) Is the struts default CSP policy inconsistent? Please tell me if I am on the right path, if there is better best practice, and please could you extend the documentation? I am not lucky wih overriding createPolicyFormat. Best regards Ute --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
