struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [struts-site] branch asf-site updated: Automatic Site Publish by Buildbot
Date Wed, 02 Dec 2020 19:14:07 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 7a002da  Automatic Site Publish by Buildbot
7a002da is described below

commit 7a002daed8028c4b1f94b1eee7eff8dcc09241a6
Author: buildbot <users@infra.apache.org>
AuthorDate: Wed Dec 2 19:14:04 2020 +0000

    Automatic Site Publish by Buildbot
---
 output/core-developers/i18n-interceptor.html   |  7 +-
 output/core-developers/interceptors.html       |  8 +--
 output/core-developers/struts-default-xml.html |  8 +--
 output/security/index.html                     | 98 +++++++++++++++++---------
 4 files changed, 79 insertions(+), 42 deletions(-)

diff --git a/output/core-developers/i18n-interceptor.html b/output/core-developers/i18n-interceptor.html
index d3589b4..53a1c7f 100644
--- a/output/core-developers/i18n-interceptor.html
+++ b/output/core-developers/i18n-interceptor.html
@@ -158,7 +158,12 @@ to and save in a cookie. By default this is <code class="highlighter-rouge">requ
   <li><code class="highlighter-rouge">requestOnlyParameterName</code> (optional)
- the name of the HTTP request parameter that dictates the locale to switch to 
 for the current request only, without saving it in the session. By default this is <code
class="highlighter-rouge">request_only_locale</code></li>
   <li><code class="highlighter-rouge">attributeName</code> (optional) -
the name of the session key to store the selected locale. By default this is <code class="highlighter-rouge">WW_TRANS_I18N_LOCALE</code></li>
-  <li><code class="highlighter-rouge">localeStorage</code> (optional) -
the name of storage location, it can be <code class="highlighter-rouge">none</code>,
<code class="highlighter-rouge">session</code> or <code class="highlighter-rouge">cookie</code>.
By default this is <code class="highlighter-rouge">session</code></li>
+  <li><code class="highlighter-rouge">localeStorage</code> (optional) -
the name of storage location, it can be <code class="highlighter-rouge">accept_language</code>,
<code class="highlighter-rouge">request</code>, <code class="highlighter-rouge">session</code>
or <code class="highlighter-rouge">cookie</code>,
+by default this is <code class="highlighter-rouge">session</code>.</li>
+  <li><code class="highlighter-rouge">supportedLocale</code> (optional)
- a set of comma separated locale supported by the application, once <code class="highlighter-rouge">storage</code>
is set
+to <code class="highlighter-rouge">accept_language</code>, interceptor will try
to match <code class="highlighter-rouge">supportedLocale</code> with locale provided
in <code class="highlighter-rouge">Accept-Language</code> header.
+Also in case of using <code class="highlighter-rouge">session</code> or <code
class="highlighter-rouge">cookie</code>, interceptor will try to first match with
<code class="highlighter-rouge">Accept-Language</code> header 
+once <code class="highlighter-rouge">supportedLocale</code> has been defined.
Since Struts 2.6.</li>
 </ul>
 
 <h2 id="examples">Examples</h2>
diff --git a/output/core-developers/interceptors.html b/output/core-developers/interceptors.html
index a04c195..ce5508b 100644
--- a/output/core-developers/interceptors.html
+++ b/output/core-developers/interceptors.html
@@ -258,8 +258,8 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors
t
     and {@link com.opensymphony.xwork2.inject.Inject}
 --&gt;</span>
 <span class="cp">&lt;!DOCTYPE struts PUBLIC
-    "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN"
-    "http://struts.apache.org/dtds/struts-2.5.dtd"&gt;</span>
+    "-//Apache Software Foundation//DTD Struts Configuration 2.6//EN"
+    "http://struts.apache.org/dtds/struts-2.6.dtd"&gt;</span>
 
 <span class="nt">&lt;struts&gt;</span>
 
@@ -628,10 +628,10 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors
t
                 <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span
class="s">"coepInterceptor"</span><span class="nt">&gt;</span>
                     <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"enforcingMode"</span><span class="nt">&gt;</span>false<span
class="nt">&lt;/param&gt;</span>
                     <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"disabled"</span><span class="nt">&gt;</span>false<span
class="nt">&lt;/param&gt;</span>
-                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">&gt;&lt;/param&gt;</span>
+                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">/&gt;</span>
                 <span class="nt">&lt;/interceptor-ref&gt;</span>
                 <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span
class="s">"coopInterceptor"</span><span class="nt">&gt;</span>
-                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">&gt;&lt;/param&gt;</span>
+                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">/&gt;</span>
                     <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"mode"</span><span class="nt">&gt;</span>same-origin<span
class="nt">&lt;/param&gt;</span>
                 <span class="nt">&lt;/interceptor-ref&gt;</span>
                 <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span
class="s">"fetchMetadata"</span><span class="nt">/&gt;</span>
diff --git a/output/core-developers/struts-default-xml.html b/output/core-developers/struts-default-xml.html
index ffee4ac..8d939a1 100644
--- a/output/core-developers/struts-default-xml.html
+++ b/output/core-developers/struts-default-xml.html
@@ -175,8 +175,8 @@ setting in <a href="struts-properties.html">struts.properties</a>.</p>
     and {@link com.opensymphony.xwork2.inject.Inject}
 --&gt;</span>
 <span class="cp">&lt;!DOCTYPE struts PUBLIC
-    "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN"
-    "http://struts.apache.org/dtds/struts-2.5.dtd"&gt;</span>
+    "-//Apache Software Foundation//DTD Struts Configuration 2.6//EN"
+    "http://struts.apache.org/dtds/struts-2.6.dtd"&gt;</span>
 
 <span class="nt">&lt;struts&gt;</span>
 
@@ -545,10 +545,10 @@ setting in <a href="struts-properties.html">struts.properties</a>.</p>
                 <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span
class="s">"coepInterceptor"</span><span class="nt">&gt;</span>
                     <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"enforcingMode"</span><span class="nt">&gt;</span>false<span
class="nt">&lt;/param&gt;</span>
                     <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"disabled"</span><span class="nt">&gt;</span>false<span
class="nt">&lt;/param&gt;</span>
-                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">&gt;&lt;/param&gt;</span>
+                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">/&gt;</span>
                 <span class="nt">&lt;/interceptor-ref&gt;</span>
                 <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span
class="s">"coopInterceptor"</span><span class="nt">&gt;</span>
-                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">&gt;&lt;/param&gt;</span>
+                    <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"exemptedPaths"</span><span class="nt">/&gt;</span>
                     <span class="nt">&lt;param</span> <span class="na">name=</span><span
class="s">"mode"</span><span class="nt">&gt;</span>same-origin<span
class="nt">&lt;/param&gt;</span>
                 <span class="nt">&lt;/interceptor-ref&gt;</span>
                 <span class="nt">&lt;interceptor-ref</span> <span class="na">name=</span><span
class="s">"fetchMetadata"</span><span class="nt">/&gt;</span>
diff --git a/output/security/index.html b/output/security/index.html
index 0fae2a6..6b48f83 100644
--- a/output/security/index.html
+++ b/output/security/index.html
@@ -142,6 +142,7 @@
       <li><a href="#use-utf-8-encoding" id="markdown-toc-use-utf-8-encoding">Use
UTF-8 encoding</a></li>
       <li><a href="#do-not-define-setters-when-not-needed" id="markdown-toc-do-not-define-setters-when-not-needed">Do
not define setters when not needed</a></li>
       <li><a href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not
use incoming values as an input for localisation logic</a></li>
+      <li><a href="#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation"
id="markdown-toc-do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation">Do
not use incoming, untrusted user input in forced expression evaluation</a></li>
       <li><a href="#use-struts-tags-instead-of-raw-el-expressions" id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use
Struts tags instead of raw EL expressions</a></li>
       <li><a href="#define-custom-error-pages" id="markdown-toc-define-custom-error-pages">Define
custom error pages</a></li>
       <li><a href="#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable"
id="markdown-toc-proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable">Proactively
protect from OGNL Expression Injections attacks if easily applicable</a>        <ul>
@@ -170,7 +171,7 @@ you should consider during application development with the Apache Struts
2.</p>
 <h3 id="restrict-access-to-the-config-browser-plugin">Restrict access to the Config
Browser Plugin</h3>
 
 <p><a href="../plugins/config-browser/">Config Browser Plugin</a> exposes
internal configuration and should be used only during 
-development phase. If you must use it on production site, we strictly recommend restricting
access to it - you can use  
+development phase. If you must use it on production site, we strictly recommend restricting
access to it - you can use<br />
 Basic Authentication or any other security mechanism (e.g. <a href="https://shiro.apache.org/">Apache
Shiro</a>)</p>
 
 <h3 id="dont-mix-different-access-levels-in-the-same-namespace">Don’t mix different
access levels in the same namespace</h3>
@@ -193,10 +194,10 @@ by security level.</p>
 <h3 id="never-expose-jsp-files-directly">Never expose JSP files directly</h3>
 
 <p>You must always hide JSP file behind an action, you cannot allow for direct access
to the JSP files as this can leads 
-to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files
under the <code class="highlighter-rouge">WEB-INF</code> folder</p>
+to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files
under the <code class="highlighter-rouge">WEB-INF</code> folder</p>
 <ul>
-  <li>most of the JEE containers restrict access to files placed under the <code
class="highlighter-rouge">WEB-INF</code> folder. Second option is to add security

-constraint to the <code class="highlighter-rouge">web.xml</code> file:</li>
+  <li>most of the JEE containers restrict access to files placed under the <code
class="highlighter-rouge">WEB-INF</code> folder. Second option is to add security

+constraint to the <code class="highlighter-rouge">web.xml</code> file:</li>
 </ul>
 
 <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span
class="c">&lt;!-- Restricts access to pure JSP files - access available only via Struts
action --&gt;</span>
@@ -221,13 +222,13 @@ constraint to the <code class="highlighter-rouge">web.xml</code> file:</li>
 
 <h3 id="disable-devmode">Disable devMode</h3>
 
-<p>The <code class="highlighter-rouge">devMode</code> is a very useful
option during development time, allowing for deep introspection and debugging into you app.</p>
+<p>The <code class="highlighter-rouge">devMode</code> is a very useful
option during development time, allowing for deep introspection and debugging into you app.</p>
 
 <p>However, in production it exposes your application to be presenting too many informations
on application’s internals 
-or to evaluating risky parameter expressions. Please <strong>always disable</strong>
<code class="highlighter-rouge">devMode</code> before deploying your application

+or to evaluating risky parameter expressions. Please <strong>always disable</strong>
<code class="highlighter-rouge">devMode</code> before deploying your application

 to a production environment. While it is disabled by default, your 
-<code class="highlighter-rouge">struts.xml</code> might include a line setting
it to <code class="highlighter-rouge">true</code>. The best way is to ensure the
following setting is applied 
-to our <code class="highlighter-rouge">struts.xml</code> for production deployment:</p>
+<code class="highlighter-rouge">struts.xml</code> might include a line setting
it to <code class="highlighter-rouge">true</code>. The best way is to ensure the
following setting is applied 
+to our <code class="highlighter-rouge">struts.xml</code> for production deployment:</p>
 
 <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span
class="nt">&lt;constant</span> <span class="na">name =</span><span
class="s">"struts.devMode"</span> <span class="na">value=</span><span
class="s">"false"</span> <span class="nt">/&gt;</span>
 </code></pre></div></div>
@@ -257,7 +258,7 @@ to our <code class="highlighter-rouge">struts.xml</code> for
production deploym
 
 <h3 id="use-utf-8-encoding">Use UTF-8 encoding</h3>
 
-<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add the following

+<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add the following

 header to each JSP file</p>
 
 <pre><code class="language-jsp">&lt;%@ page contentType="text/html; charset=UTF-8"
%&gt;
@@ -267,24 +268,32 @@ header to each JSP file</p>
 
 <p>You should carefully design your actions without exposing anything via setters and
getters, thus can leads to potential 
 security vulnerabilities. Any action’s setter can be used to set incoming untrusted user’s
value which can contain 
-suspicious expression. Some Struts <code class="highlighter-rouge">Result</code>s
automatically populate params based on values in 
+suspicious expression. Some Struts <code class="highlighter-rouge">Result</code>s
automatically populate params based on values in 
 <code class="highlighter-rouge">ValueStack</code> (action in most cases is the
root) which means incoming value will be evaluated as an expression during 
 this process.</p>
 
 <h3 id="do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not use incoming
values as an input for localisation logic</h3>
 
-<p>All <code class="highlighter-rouge">TextProvider</code>’s <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code class="highlighter-rouge">ActionSupport</code>)
perform evaluation of parameters included in a message 
-to properly localize the text. This means using incoming request parameters with <code
class="highlighter-rouge">getText(...)</code> methods is potentially 
-dangerous and should be avoided. See example below, assuming that an action implements getter
and setter for property 
+<p>All <code class="highlighter-rouge">TextProvider</code>’s <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code class="highlighter-rouge">ActionSupport</code>)
perform evaluation of parameters included in a message 
+to properly localize the text. This means using incoming request parameters with <code
class="highlighter-rouge">getText(...)</code> methods is potentially 
+dangerous and should be avoided. See example below, assuming that an action implements getter
and setter for property 
 <code class="highlighter-rouge">message</code>, the below code allows inject
an OGNL expression:</p>
 
 <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span
class="kd">public</span> <span class="n">String</span> <span class="nf">execute</span><span
class="o">()</span> <span class="kd">throws</span> <span class="n">Exception</span>
<span class="o">{</span>
-    <span class="n">setMessage</span><span class="o">(</span><span
class="n">getText</span><span class="o">(</span><span class="n">getMessage</span><span
class="o">()));</span>
+    <span class="n">message</span> <span class="o">=</span> <span
class="n">getText</span><span class="o">(</span><span class="n">getMessage</span><span
class="o">());</span>
     <span class="k">return</span> <span class="n">SUCCESS</span><span
class="o">;</span>
 <span class="o">}</span>
 </code></pre></div></div>
 
-<p>Never use value of incoming request parameter as part of your localization logic.</p>
+<p><strong>Never use value of incoming request parameter as part of your localization
logic.</strong></p>
+
+<h3 id="do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation">Do
not use incoming, untrusted user input in forced expression evaluation</h3>
+
+<p>You can use a forced expression evalaution in many tags’ attributes by using <code
class="highlighter-rouge">%{...}</code> syntax. This is a very powerful option
+but used with wrong data can lead to the Remote Code Execution. Never use forced expression
evalaution if you didn’t verify
+the input or it can be passed in by a user.</p>
+
+<p><strong>Never use value of incoming request parameter as input for forced
expression evalaution.</strong></p>
 
 <h3 id="use-struts-tags-instead-of-raw-el-expressions">Use Struts tags instead of raw
EL expressions</h3>
 
@@ -330,7 +339,7 @@ comprehensively test your app UI and functionalities with these enabled.</p>
 
 <h4 id="run-ognl-expressions-inside-sandbox">Run OGNL expressions inside sandbox</h4>
 
-<p>You can do this simply via adding <code class="highlighter-rouge">-Dognl.security.manager</code>
to JVM arguments. OGNL thereupon utilizes Java Security
+<p>You can do this simply via adding <code class="highlighter-rouge">-Dognl.security.manager</code>
to JVM arguments. OGNL thereupon utilizes Java Security
 Manager to run OGNL expressions (which includes your actions either!) inside a sandbox with
no permission. It is worth 
 noting that it affects only OGNL expression execution and thereafter OGNL reverts Java Security
Manager to its previous 
 state.</p>
@@ -355,7 +364,7 @@ used in JSPs, etc.</p>
   <li><code class="highlighter-rouge">struts.excludedPackageNamePatterns</code>
- patterns used to exclude packages based on RegEx - this option is slower than 
 simple string comparison but it’s more flexible</li>
   <li><code class="highlighter-rouge">struts.excludedPackageNames</code>
- comma-separated list of excluded packages, it is used with simple string comparison 
-via <code class="highlighter-rouge">startWith</code> and <code class="highlighter-rouge">equals</code></li>
+via <code class="highlighter-rouge">startWith</code> and <code class="highlighter-rouge">equals</code></li>
 </ul>
 
 <p>The defaults are as follow:</p>
@@ -376,8 +385,8 @@ via <code class="highlighter-rouge">startWith</code> and
<code class="highlight
 <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[WARNING]
Target class [class example.MyBean] or declaring class of member type [public example.MyBean()]
are excluded!
 </code></pre></div></div>
 
-<p>In that case <code class="highlighter-rouge">new MyBean()</code> was
used to create a new instance of class (inside JSP) - it’s blocked because <code class="highlighter-rouge">target</code>

-of such expression is evaluated to <code class="highlighter-rouge">java.lang.Class</code></p>
+<p>In that case <code class="highlighter-rouge">new MyBean()</code> was
used to create a new instance of class (inside JSP) - it’s blocked because <code class="highlighter-rouge">target</code>

+of such expression is evaluated to <code class="highlighter-rouge">java.lang.Class</code></p>
 
 <p>It is possible to redefine the above constants in struts.xml but try to avoid this
and rather change design of your application!</p>
 
@@ -415,45 +424,68 @@ this was reported as an issue <a href="https://issues.apache.org/jira/browse/WW-
 
 <p>In such case OGNL cannot properly map which method to call when request is coming.
This is do the OGNL limitation. 
 To solve the problem don’t use the same method’s names through the hierarchy, you can
simply change the action’s method 
-from <code class="highlighter-rouge">save()</code> to <code class="highlighter-rouge">saveAction()</code> and
leaving annotation as is to allow call this action via  <code class="highlighter-rouge">/save.action</code>
request.</p>
+from <code class="highlighter-rouge">save()</code> to <code class="highlighter-rouge">saveAction()</code>
and leaving annotation as is to allow call this action via  <code class="highlighter-rouge">/save.action</code>
request.</p>
 
 <h3 id="accepted--excluded-patterns">Accepted / Excluded patterns</h3>
 
 <p>As from version 2.3.20 the framework provides two new interfaces which are used
to accept / exclude param names 
-and values - <a href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a>

-and <a href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a>

-with default implementations. These two interfaces are used by <a href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a> 
-and <a href="../core-developers/cookie-interceptor.html">Cookie Interceptor</a>
to check if param can be accepted or must be excluded. 
-If you were using <code class="highlighter-rouge">excludeParams</code> previously
please compare patterns used by you with these provided by the framework in default implementation.</p>
+and values - <a href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a>

+and <a href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a>

+with default implementations. These two interfaces are used by <a href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a> 
+and <a href="../core-developers/cookie-interceptor.html">Cookie Interceptor</a>
to check if param can be accepted or must be excluded. 
+If you were using <code class="highlighter-rouge">excludeParams</code> previously
please compare patterns used by you with these provided by the framework in default implementation.</p>
 
 <h3 id="strict-method-invocation">Strict Method Invocation</h3>
 
 <p>This mechanism was introduced in version 2.5. It allows control what methods can
be accessed with the bang “!” operator 
 via <a href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read 
-more in the Strict Method Invocation section of <a href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
+more in the Strict Method Invocation section of <a href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
 
 <h3 id="resource-isolation-using-fetch-metadata">Resource Isolation Using Fetch Metadata</h3>
 
-<p>Fetch Metadata is a mitigation against common cross origin attacks such as Cross-Site
Request Forgery (CSRF).  It is a web platform security feature designed to help servers defend
themselves against cross-origin attacks based on the preferred resource isolation policy.
The browser provides information about the context of an HTTP request in a set of <code
class="highlighter-rouge">Sec-Fetch-*</code> headers. This allows the server processing
the request to make decisions on whether t [...]
+<p>Fetch Metadata is a mitigation against common cross origin attacks such as Cross-Site
Request Forgery (CSRF). It is 
+a web platform security feature designed to help servers defend themselves against cross-origin
attacks based 
+on the preferred resource isolation policy. The browser provides information about the context
of an HTTP request 
+in a set of <code class="highlighter-rouge">Sec-Fetch-*</code> headers. This
allows the server processing the request to make decisions on whether the request 
+should be accepted or rejected based on the available resource isolation policies.</p>
 
-<p>A Resource Isolation  Policy prevents the resources on a server from being requested
by external websites. This policy can be enabled for all endpoints of the application or the
endpoints that are meant to be loaded in a cross-site context can be exempted from applying
the policy. Read more about Fetch Metadata and resource isolation <a href="https://web.dev/fetch-metadata/">here</a>.</p>
+<p>A Resource Isolation  Policy prevents the resources on a server from being requested
by external websites. This policy 
+can be enabled for all endpoints of the application or the endpoints that are meant to be
loaded in a cross-site context 
+can be exempted from applying the policy. Read more about Fetch Metadata and resource isolation
<a href="https://web.dev/fetch-metadata/">here</a>.</p>
 
-<p>This mechanism is implemented in Struts using the <a href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>. Refer to the documentation for <a href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a> instructions on how to enable Fetch Metadata.</p>
+<p>This mechanism is implemented in Struts using the <a href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>.
+ Refer to the documentation for <a href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a> 
+ instructions on how to enable Fetch Metadata.</p>
 
 <h3 id="cross-origin-isolation-with-coop-and-coep">Cross Origin Isolation with COOP
and COEP</h3>
 
-<p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy">Cross-Origin
Opener Policy</a> is a security mitigation that lets developers isolate their resources
against side-channel attacks and information leaks. The COOP response header allows a document
to request a new browsing context group to better isolate itself from other untrustworthy
origins.</p>
+<blockquote>
+  <p>Note: since Struts 2.6.</p>
+</blockquote>
+
+<p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy">Cross-Origin
Opener Policy</a> is 
+a security mitigation that lets developers isolate their resources against side-channel attacks
and information leaks. 
+The COOP response header allows a document to request a new browsing context group to better
isolate itself from other 
+untrustworthy origins.</p>
 
-<p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy">Cross-Origin
Embedder Policy</a> prevents a document from loading any cross-origin resources which
don’t explicitly grant the document permission to be loaded.</p>
+<p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy">Cross-Origin
Embedder Policy</a> 
+prevents a document from loading any cross-origin resources which don’t explicitly grant
the document permission to be loaded.</p>
 
-<p>COOP and COEP are independent mechanisms that can be enabled, tested and deployed
separately. While enabling one doesn’t require developers to enable the other, when set
together COOP and COEP allows developers to use powerful features (such as <code class="highlighter-rouge">SharedArrayBuffer</code>,
<code class="highlighter-rouge">performance.measureMemory()</code> and the JS
Self-Profiling API) securely, without worrying about side channel attacks like <a href="https://meltdownatta
[...]
+<p>COOP and COEP are independent mechanisms that can be enabled, tested and deployed
separately. While enabling one doesn’t 
+require developers to enable the other, when set together COOP and COEP allows developers
to use powerful features (such 
+as <code class="highlighter-rouge">SharedArrayBuffer</code>, <code class="highlighter-rouge">performance.measureMemory()</code>
and the JS Self-Profiling API) securely, without worrying about 
+side channel attacks like <a href="https://meltdownattack.com/">Spectre</a>.

+Further reading on <a href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit#bookmark=id.uo6kivyh0ge2">COOP/COEP</a>

+and <a href="https://web.dev/why-coop-coep/">why you need cross-origin isolation</a>.</p>
 
 <p>The recommended configuration for the policies are:</p>
+
 <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Cross-Origin-Embedder-Policy:
require-corp;
 Cross-Origin-Opener-Policy: same-origin;
 </code></pre></div></div>
 
-<p>COOP and COEP are implemented in Struts using <a href="../core-developers/coop-interceptor.html">CoopInterceptor</a>
and <a href="../core-developers/coep-interceptor.html">CoepInterceptor</a>.</p>
+<p>COOP and COEP are implemented in Struts using <a href="../core-developers/coop-interceptor.html">CoopInterceptor</a>

+and <a href="../core-developers/coep-interceptor.html">CoepInterceptor</a>.</p>
 
   </section>
 </article>


Mime
View raw message