Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-5084

Content Security Policy support

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6
    • Fix Version/s: 2.6
    • Labels:
      None

      Description

      We'd like to add built-in Content Security Policy support to Struts2 to provide a major security mechanism that developers can use to protect against common Cross-Site Scripting vulnerabilities. Developers will have the ability to enable CSP in report-only or enforcement mode.

      We will provide an out of the box tag that can be used by developers to use/import scripts in their web applications, so that these will automatically get nonces that are compatible with their Content Security policies.

      Finally, we will provide a built-in handler for CSP violation reports that will be used to collect and provide textual explanations of these reports. This endpoint will be used by developers to debug CSP violations and locate pieces of code that need to be refactored to support strong policies.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              saldiaz Santiago Diaz
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 5h 10m
                5h 10m