This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 106f7b3 Automatic Site Publish by Buildbot
106f7b3 is described below
commit 106f7b3f2044968f07c225eebc102507cec24d86
Author: buildbot <us...@infra.apache.org>
AuthorDate: Mon Sep 7 05:52:51 2020 +0000
Automatic Site Publish by Buildbot
---
output/core-developers/coep-interceptor.html | 205 ++++++++++++++++++++
output/core-developers/coop-interceptor.html | 210 +++++++++++++++++++++
.../fetch-metadata-interceptor.html | 205 ++++++++++++++++++++
output/core-developers/interceptors.html | 30 +++
output/core-developers/struts-default-xml.html | 15 ++
output/security/index.html | 25 +++
6 files changed, 690 insertions(+)
diff --git a/output/core-developers/coep-interceptor.html
b/output/core-developers/coep-interceptor.html
new file mode 100644
index 0000000..c290d03
--- /dev/null
+++ b/output/core-developers/coep-interceptor.html
@@ -0,0 +1,205 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <meta name="Date-Revision-yyyymmdd" content="20140918"/>
+ <meta http-equiv="Content-Language" content="en"/>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+
+ <title>COEP Interceptor</title>
+
+ <link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
+ <link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
+ <link href="/css/main.css" rel="stylesheet">
+ <link href="/css/custom.css" rel="stylesheet">
+ <link href="/highlighter/github-theme.css" rel="stylesheet">
+
+ <script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
+ <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
+ <script type="text/javascript" src="/js/community.js"></script>
+</head>
+<body>
+
+<a href="http://github.com/apache/struts"; class="github-ribbon">
+ <img style="position: absolute; right: 0; border: 0;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png";
alt="Fork me on GitHub">
+</a>
+
+<header>
+ <nav>
+ <div role="navigation" class="navbar navbar-default navbar-fixed-top">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" data-toggle="collapse"
data-target="#struts-menu" class="navbar-toggle">
+ Menu
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a href="/index.html" class="navbar-brand logo"><img
src="/img/struts-logo.svg"></a>
+ </div>
+ <div id="struts-menu" class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Home<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/index.html">Welcome</a></li>
+ <li><a href="/download.cgi">Download</a></li>
+ <li><a href="/releases.html">Releases</a></li>
+ <li><a href="/announce.html">Announcements</a></li>
+ <li><a href="http://www.apache.org/licenses/";>License</a></li>
+ <li><a
href="https://www.apache.org/foundation/thanks.html";>Thanks!</a></li>
+ <li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Support<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/mail.html">User Mailing List</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/WW";>Issue
Tracker</a></li>
+ <li><a href="/security.html">Reporting Security Issues</a></li>
+ <li class="divider"></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide";>Version
Notes</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins";>Security
Bulletins</a></li>
+ <li class="divider"></li>
+ <li><a href="/maven/project-info.html">Maven Project
Info</a></li>
+ <li><a href="/maven/struts2-core/dependencies.html">Struts
Core Dependencies</a></li>
+ <li><a href="/maven/struts2-plugins/modules.html">Plugin
Dependencies</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Documentation<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/birdseye.html">Birds Eye</a></li>
+ <li><a href="/primer.html">Key Technologies</a></li>
+ <li><a href="/kickstart.html">Kickstart FAQ</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
+ <li class="divider"></li>
+ <li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
+ <li><a href="/core-developers/">Core Developers Guide</a></li>
+ <li><a href="/tag-developers/">Tag Developers Guide</a></li>
+ <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
+ <li><a href="/plugins/">Plugins</a></li>
+ <li><a href="/maven/struts2-core/apidocs/index.html">Struts
Core API</a></li>
+ <li><a href="/tag-developers/tag-reference.html">Tag
reference</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/FAQs";>FAQs</a></li>
+ <li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Contributing<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/youatstruts.html">You at Struts</a></li>
+ <li><a href="/helping.html">How to Help FAQ</a></li>
+ <li><a href="/dev-mail.html">Development Lists</a></li>
+ <li class="divider"></li>
+ <li><a href="/submitting-patches.html">Submitting
patches</a></li>
+ <li><a href="/builds.html">Source Code and Builds</a></li>
+ <li><a href="/coding-standards.html">Coding standards</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide";>Contributors
Guide</a></li>
+ <li class="divider"></li>
+ <li><a href="/release-guidelines.html">Release
Guidelines</a></li>
+ <li><a href="/bylaws.html">PMC Charter</a></li>
+ <li><a href="/volunteers.html">Volunteers</a></li>
+ <li><a
href="https://gitbox.apache.org/repos/asf?p=struts.git";>Source
Repository</a></li>
+ <li><a href="/updating-website.html">Updating the
website</a></li>
+ </ul>
+ </li>
+ <li class="apache"><a href="http://www.apache.org/";><img
src="/img/apache.png"></a></li>
+ </ul>
+ </div>
+ </div>
+ </div>
+ </nav>
+</header>
+
+
+<article class="container">
+ <section class="col-md-12">
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/core-developers/coep-interceptor.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+
+ <a href="interceptors.html" title="back to Interceptors"><< back to
Interceptors</a>
+
+ <h1 id="fetch-metadata-interceptor">Fetch Metadata Interceptor</h1>
+
+<h2 id="description">Description</h2>
+
+<p>Interceptor that implements Cross-Origin Embedder Policy on incoming
requests.</p>
+
+<p>COEP prevents the document from loading any framed documents which don’t
opt-in by setting the COEP header. (<code
class="highlighter-rouge">Cross-Origin-Embedder-Policy: require-corp</code>).
This provides protection for documents that don’t restrict framing. A document
that doesn’t set COEP cannot be framed by another document with COEP. All
descendents of a document with COEP will also enforce the same restrictions.</p>
+
+<p>COEP is now supported by all major browsers.</p>
+
+<p><a href="https://web.dev/why-coop-coep/#coep";>More information about
COEP</a>.</p>
+
+<h2 id="parameters">Parameters</h2>
+
+<ul>
+ <li><code class="highlighter-rouge">exemptedPaths</code> - Set of opt out
endpoints that are meant to serve cross-site traffic. Paths should contain
leading slashes and must be relative. This field is empty by default.</li>
+ <li><code class="highlighter-rouge">enforcingMode</code> - Boolean variable
allowing the user to let COEP operate in <code
class="highlighter-rouge">enforcing</code>, which blocks both resource and
reports violations, or <code class="highlighter-rouge">report-only</code> mode,
which only reports violations. Default value for field is <code
class="highlighter-rouge">false</code>.</li>
+ <li><code class="highlighter-rouge">disabled</code> - Boolean variable
disabling and enabling COEP. Default value for field is <code
class="highlighter-rouge">false</code>.</li>
+</ul>
+
+<h2 id="examples">Examples</h2>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><action</span> <span
class="na">name=</span><span class="s">"someAction"</span> <span
class="na">class=</span><span class="s">"com.examples.SomeAction"</span><span
class="nt">></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"defaultStack"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coepInterceptor.exemptedPaths"</span><span
class="nt">></span>/path1,/path2,/path3<span class="nt"></param></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coepInterceptor.enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coepInterceptor.disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"success"</span><span class="nt">></span>good_result.ftl<span
class="nt"></result></span>
+<span class="nt"></action></span>
+</code></pre></div></div>
+
+ </section>
+</article>
+
+
+<footer class="container">
+ <div class="col-md-12">
+ Copyright © 2000-2018 <a href="http://www.apache.org/";>The Apache
Software Foundation </a>.
+ All Rights Reserved.
+ </div>
+ <div class="col-md-12">
+ Apache Struts, Struts, Apache, the Apache feather logo, and the Apache
Struts project logos are
+ trademarks of The Apache Software Foundation.
+ </div>
+ <div class="col-md-12">Logo and website design donated by <a
href="https://softwaremill.com/";>SoftwareMill</a>.</div>
+</footer>
+
+<script>!function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (!d.getElementById(id)) {
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//platform.twitter.com/widgets.js";
+ fjs.parentNode.insertBefore(js, fjs);
+ }
+}(document, "script", "twitter-wjs");</script>
+<script src="https://apis.google.com/js/platform.js"; async="async"
defer="defer"></script>
+
+<div id="fb-root"></div>
+
+<script>(function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
+ fjs.parentNode.insertBefore(js, fjs);
+}(document, 'script', 'facebook-jssdk'));</script>
+
+
+</body>
+</html>
diff --git a/output/core-developers/coop-interceptor.html
b/output/core-developers/coop-interceptor.html
new file mode 100644
index 0000000..1c40203
--- /dev/null
+++ b/output/core-developers/coop-interceptor.html
@@ -0,0 +1,210 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <meta name="Date-Revision-yyyymmdd" content="20140918"/>
+ <meta http-equiv="Content-Language" content="en"/>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+
+ <title>COOP Interceptor</title>
+
+ <link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
+ <link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
+ <link href="/css/main.css" rel="stylesheet">
+ <link href="/css/custom.css" rel="stylesheet">
+ <link href="/highlighter/github-theme.css" rel="stylesheet">
+
+ <script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
+ <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
+ <script type="text/javascript" src="/js/community.js"></script>
+</head>
+<body>
+
+<a href="http://github.com/apache/struts"; class="github-ribbon">
+ <img style="position: absolute; right: 0; border: 0;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png";
alt="Fork me on GitHub">
+</a>
+
+<header>
+ <nav>
+ <div role="navigation" class="navbar navbar-default navbar-fixed-top">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" data-toggle="collapse"
data-target="#struts-menu" class="navbar-toggle">
+ Menu
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a href="/index.html" class="navbar-brand logo"><img
src="/img/struts-logo.svg"></a>
+ </div>
+ <div id="struts-menu" class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Home<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/index.html">Welcome</a></li>
+ <li><a href="/download.cgi">Download</a></li>
+ <li><a href="/releases.html">Releases</a></li>
+ <li><a href="/announce.html">Announcements</a></li>
+ <li><a href="http://www.apache.org/licenses/";>License</a></li>
+ <li><a
href="https://www.apache.org/foundation/thanks.html";>Thanks!</a></li>
+ <li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Support<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/mail.html">User Mailing List</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/WW";>Issue
Tracker</a></li>
+ <li><a href="/security.html">Reporting Security Issues</a></li>
+ <li class="divider"></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide";>Version
Notes</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins";>Security
Bulletins</a></li>
+ <li class="divider"></li>
+ <li><a href="/maven/project-info.html">Maven Project
Info</a></li>
+ <li><a href="/maven/struts2-core/dependencies.html">Struts
Core Dependencies</a></li>
+ <li><a href="/maven/struts2-plugins/modules.html">Plugin
Dependencies</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Documentation<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/birdseye.html">Birds Eye</a></li>
+ <li><a href="/primer.html">Key Technologies</a></li>
+ <li><a href="/kickstart.html">Kickstart FAQ</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
+ <li class="divider"></li>
+ <li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
+ <li><a href="/core-developers/">Core Developers Guide</a></li>
+ <li><a href="/tag-developers/">Tag Developers Guide</a></li>
+ <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
+ <li><a href="/plugins/">Plugins</a></li>
+ <li><a href="/maven/struts2-core/apidocs/index.html">Struts
Core API</a></li>
+ <li><a href="/tag-developers/tag-reference.html">Tag
reference</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/FAQs";>FAQs</a></li>
+ <li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Contributing<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/youatstruts.html">You at Struts</a></li>
+ <li><a href="/helping.html">How to Help FAQ</a></li>
+ <li><a href="/dev-mail.html">Development Lists</a></li>
+ <li class="divider"></li>
+ <li><a href="/submitting-patches.html">Submitting
patches</a></li>
+ <li><a href="/builds.html">Source Code and Builds</a></li>
+ <li><a href="/coding-standards.html">Coding standards</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide";>Contributors
Guide</a></li>
+ <li class="divider"></li>
+ <li><a href="/release-guidelines.html">Release
Guidelines</a></li>
+ <li><a href="/bylaws.html">PMC Charter</a></li>
+ <li><a href="/volunteers.html">Volunteers</a></li>
+ <li><a
href="https://gitbox.apache.org/repos/asf?p=struts.git";>Source
Repository</a></li>
+ <li><a href="/updating-website.html">Updating the
website</a></li>
+ </ul>
+ </li>
+ <li class="apache"><a href="http://www.apache.org/";><img
src="/img/apache.png"></a></li>
+ </ul>
+ </div>
+ </div>
+ </div>
+ </nav>
+</header>
+
+
+<article class="container">
+ <section class="col-md-12">
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/core-developers/coop-interceptor.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+
+ <a href="interceptors.html" title="back to Interceptors"><< back to
Interceptors</a>
+
+ <h1 id="fetch-metadata-interceptor">Fetch Metadata Interceptor</h1>
+
+<h2 id="description">Description</h2>
+
+<p>Interceptor that implements Cross-Origin Opener Policy on incoming
requests.</p>
+
+<p>COOP is a security mitigation that lets developers isolate their resources
against side-channel attacks and information leaks. The COOP response header
allows a document to request a new browsing context group to better isolate
itself from other untrustworthy origins. Separating browsing contexts is
necessary because at least two types of attacks are possible when a document
shares a browsing context group and possibly an operating system process with
cross-origin documents:</p>
+
+<ul>
+ <li>Cross-window attacks. A malicious document can open a victim document in
a new window and later navigate the window to a look-alike document to trick
the user, or attempt to exploit postMessage vulnerabilities in the victim
document.</li>
+ <li>Process-wide attacks. Side channel and transient execution attacks like
Spectre may provide an opportunity to the malicious document to get access to
sensitive data from the victim document, if they share an OS process.</li>
+</ul>
+
+<p>The COOP header can have one of 3 values: <code
class="highlighter-rouge">same-origin</code>, <code
class="highlighter-rouge">same-origin-allow-popups</code>, <code
class="highlighter-rouge">unsafe-none</code>. If the COOP values are the same,
and the origins of the documents match the relationship declared in the COOP
header value, documents can interact with each other. Otherwise if at least one
of the documents sets COOP, the browser will create a new browsing context
group severi [...]
+
+<p>COOP is now supported by all major browsers.</p>
+
+<p><a href="https://web.dev/why-coop-coep/#coop";>More information about
COOP</a>.</p>
+
+<h2 id="parameters">Parameters</h2>
+
+<ul>
+ <li><code class="highlighter-rouge">exemptedPaths</code> - Set of opt out
endpoints that are meant to serve cross-site traffic. Paths should contain
leading slashes and must be relative. This field is empty by default.</li>
+ <li><code class="highlighter-rouge">mode</code> - The policy mode COOP
should follow. Available modes are <code
class="highlighter-rouge">same-origin</code>, <code
class="highlighter-rouge">same-origin-allow-popups</code>, <code
class="highlighter-rouge">unsafe-none</code>. Default mode is <code
class="highlighter-rouge">same-origin</code>.</li>
+</ul>
+
+<h2 id="examples">Examples</h2>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><action</span> <span
class="na">name=</span><span class="s">"someAction"</span> <span
class="na">class=</span><span class="s">"com.examples.SomeAction"</span><span
class="nt">></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"defaultStack"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coopInterceptor.exemptedPaths"</span><span
class="nt">></span>/path1,/path2,/path3<span class="nt"></param></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coopInterceptor.mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"success"</span><span class="nt">></span>good_result.ftl<span
class="nt"></result></span>
+<span class="nt"></action></span>
+</code></pre></div></div>
+
+ </section>
+</article>
+
+
+<footer class="container">
+ <div class="col-md-12">
+ Copyright © 2000-2018 <a href="http://www.apache.org/";>The Apache
Software Foundation </a>.
+ All Rights Reserved.
+ </div>
+ <div class="col-md-12">
+ Apache Struts, Struts, Apache, the Apache feather logo, and the Apache
Struts project logos are
+ trademarks of The Apache Software Foundation.
+ </div>
+ <div class="col-md-12">Logo and website design donated by <a
href="https://softwaremill.com/";>SoftwareMill</a>.</div>
+</footer>
+
+<script>!function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (!d.getElementById(id)) {
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//platform.twitter.com/widgets.js";
+ fjs.parentNode.insertBefore(js, fjs);
+ }
+}(document, "script", "twitter-wjs");</script>
+<script src="https://apis.google.com/js/platform.js"; async="async"
defer="defer"></script>
+
+<div id="fb-root"></div>
+
+<script>(function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
+ fjs.parentNode.insertBefore(js, fjs);
+}(document, 'script', 'facebook-jssdk'));</script>
+
+
+</body>
+</html>
diff --git a/output/core-developers/fetch-metadata-interceptor.html
b/output/core-developers/fetch-metadata-interceptor.html
new file mode 100644
index 0000000..beb1bc9
--- /dev/null
+++ b/output/core-developers/fetch-metadata-interceptor.html
@@ -0,0 +1,205 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <meta name="Date-Revision-yyyymmdd" content="20140918"/>
+ <meta http-equiv="Content-Language" content="en"/>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+
+ <title>Fetch Metadata Interceptor</title>
+
+ <link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
+ <link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
+ <link href="/css/main.css" rel="stylesheet">
+ <link href="/css/custom.css" rel="stylesheet">
+ <link href="/highlighter/github-theme.css" rel="stylesheet">
+
+ <script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
+ <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
+ <script type="text/javascript" src="/js/community.js"></script>
+</head>
+<body>
+
+<a href="http://github.com/apache/struts"; class="github-ribbon">
+ <img style="position: absolute; right: 0; border: 0;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png";
alt="Fork me on GitHub">
+</a>
+
+<header>
+ <nav>
+ <div role="navigation" class="navbar navbar-default navbar-fixed-top">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" data-toggle="collapse"
data-target="#struts-menu" class="navbar-toggle">
+ Menu
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a href="/index.html" class="navbar-brand logo"><img
src="/img/struts-logo.svg"></a>
+ </div>
+ <div id="struts-menu" class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Home<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/index.html">Welcome</a></li>
+ <li><a href="/download.cgi">Download</a></li>
+ <li><a href="/releases.html">Releases</a></li>
+ <li><a href="/announce.html">Announcements</a></li>
+ <li><a href="http://www.apache.org/licenses/";>License</a></li>
+ <li><a
href="https://www.apache.org/foundation/thanks.html";>Thanks!</a></li>
+ <li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Support<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/mail.html">User Mailing List</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/WW";>Issue
Tracker</a></li>
+ <li><a href="/security.html">Reporting Security Issues</a></li>
+ <li class="divider"></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide";>Version
Notes</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins";>Security
Bulletins</a></li>
+ <li class="divider"></li>
+ <li><a href="/maven/project-info.html">Maven Project
Info</a></li>
+ <li><a href="/maven/struts2-core/dependencies.html">Struts
Core Dependencies</a></li>
+ <li><a href="/maven/struts2-plugins/modules.html">Plugin
Dependencies</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Documentation<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/birdseye.html">Birds Eye</a></li>
+ <li><a href="/primer.html">Key Technologies</a></li>
+ <li><a href="/kickstart.html">Kickstart FAQ</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
+ <li class="divider"></li>
+ <li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
+ <li><a href="/core-developers/">Core Developers Guide</a></li>
+ <li><a href="/tag-developers/">Tag Developers Guide</a></li>
+ <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
+ <li><a href="/plugins/">Plugins</a></li>
+ <li><a href="/maven/struts2-core/apidocs/index.html">Struts
Core API</a></li>
+ <li><a href="/tag-developers/tag-reference.html">Tag
reference</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/FAQs";>FAQs</a></li>
+ <li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Contributing<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/youatstruts.html">You at Struts</a></li>
+ <li><a href="/helping.html">How to Help FAQ</a></li>
+ <li><a href="/dev-mail.html">Development Lists</a></li>
+ <li class="divider"></li>
+ <li><a href="/submitting-patches.html">Submitting
patches</a></li>
+ <li><a href="/builds.html">Source Code and Builds</a></li>
+ <li><a href="/coding-standards.html">Coding standards</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide";>Contributors
Guide</a></li>
+ <li class="divider"></li>
+ <li><a href="/release-guidelines.html">Release
Guidelines</a></li>
+ <li><a href="/bylaws.html">PMC Charter</a></li>
+ <li><a href="/volunteers.html">Volunteers</a></li>
+ <li><a
href="https://gitbox.apache.org/repos/asf?p=struts.git";>Source
Repository</a></li>
+ <li><a href="/updating-website.html">Updating the
website</a></li>
+ </ul>
+ </li>
+ <li class="apache"><a href="http://www.apache.org/";><img
src="/img/apache.png"></a></li>
+ </ul>
+ </div>
+ </div>
+ </div>
+ </nav>
+</header>
+
+
+<article class="container">
+ <section class="col-md-12">
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/core-developers/fetch-metadata-interceptor.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+
+ <a href="interceptors.html" title="back to Interceptors"><< back to
Interceptors</a>
+
+ <h1 id="fetch-metadata-interceptor">Fetch Metadata Interceptor</h1>
+
+<h2 id="description">Description</h2>
+
+<p>An interceptor that implements Fetch Metadata on incoming requests used to
protect against CSRF, XSSI, and cross-origin information leaks. Uses a default
Resource Isolation Policy to programmatically reject cross-origin requests.</p>
+
+<p>A Resource Isolation Policy is a strong defense in-depth mechanism that
prevents the resources on a server from being requested by external websites.
This policy can be enabled either for all endpoints of the application and
endpoints that are meant to be loaded in a cross-site context can be exempted
from the policy.</p>
+
+<p>The browser provides information about the context of an HTTP request in a
set of <code class="highlighter-rouge">Sec-Fetch-*</code> headers. This allows
the server processing the request to make decisions on whether the request
should be accepted or rejected based on the preferred resource isolation
policy. Struts provides a default Resource Isolation Policy that rejects
cross-origin requests that aren’t top level navigations.</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>Sec-Fetch-Site == 'cross-site' AND (Sec-Fetch-Mode !=
'navigate'/'nested-navigate' OR method NOT IN [GET, HEAD])
+</code></pre></div></div>
+
+<p>Refer to <a
href="https://web.dev/fetch-metadata/#implementing-a-resource-isolation-policy";>Implementing
a Resource Isolation Policy</a> for further information on implementing
effective Resource Isolation Policies.
+Fetch Metadata is supported in all major browsers</p>
+
+<h2 id="parameters">Parameters</h2>
+
+<ul>
+ <li><code class="highlighter-rouge">exemptedPaths</code> - Set of opt out
endpoints that are meant to serve cross-site traffic. Paths should contain
leading slashes and must be relative. This field is empty by default.</li>
+</ul>
+
+<h2 id="examples">Examples</h2>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><action</span> <span
class="na">name=</span><span class="s">"someAction"</span> <span
class="na">class=</span><span class="s">"com.examples.SomeAction"</span><span
class="nt">></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"defaultStack"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span
class="s">"fetchMetadata.exemptedPaths"</span><span
class="nt">></span>/path1,/path2,/path3<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"success"</span><span class="nt">></span>good_result.ftl<span
class="nt"></result></span>
+<span class="nt"></action></span>
+</code></pre></div></div>
+
+ </section>
+</article>
+
+
+<footer class="container">
+ <div class="col-md-12">
+ Copyright © 2000-2018 <a href="http://www.apache.org/";>The Apache
Software Foundation </a>.
+ All Rights Reserved.
+ </div>
+ <div class="col-md-12">
+ Apache Struts, Struts, Apache, the Apache feather logo, and the Apache
Struts project logos are
+ trademarks of The Apache Software Foundation.
+ </div>
+ <div class="col-md-12">Logo and website design donated by <a
href="https://softwaremill.com/";>SoftwareMill</a>.</div>
+</footer>
+
+<script>!function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (!d.getElementById(id)) {
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//platform.twitter.com/widgets.js";
+ fjs.parentNode.insertBefore(js, fjs);
+ }
+}(document, "script", "twitter-wjs");</script>
+<script src="https://apis.google.com/js/platform.js"; async="async"
defer="defer"></script>
+
+<div id="fb-root"></div>
+
+<script>(function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
+ fjs.parentNode.insertBefore(js, fjs);
+}(document, 'script', 'facebook-jssdk'));</script>
+
+
+</body>
+</html>
diff --git a/output/core-developers/interceptors.html
b/output/core-developers/interceptors.html
index 9761818..5f8782e 100644
--- a/output/core-developers/interceptors.html
+++ b/output/core-developers/interceptors.html
@@ -467,11 +467,14 @@ than reiterate the same list of Interceptors, we can
bundle these Interceptors t
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"alias"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.AliasInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"autowiring"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"chain"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ChainingInterceptor"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoepInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"conversionError"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.StrutsConversionErrorInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookie"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookieProvider"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieProviderInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"clearSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ClearSessionInterceptor"</span> <span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoopInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"createSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CreateSessionInterceptor"</span>
<span class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.csp.CspInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"debugging"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.debugging.DebuggingInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"execAndWait"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ExecuteAndWaitInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"exception"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor"</span><span
class="nt">/></span>
@@ -603,6 +606,9 @@ than reiterate the same list of Interceptors, we can bundle
these Interceptors t
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"alias"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"servletConfig"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"i18n"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"prepare"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"chain"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"scopedModelDriven"</span><span
class="nt">/></span>
@@ -615,6 +621,15 @@ than reiterate the same list of Interceptors, we can
bundle these Interceptors t
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"actionMappingParams"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"params"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"conversionError"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"fetchMetadata"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"validation"</span><span
class="nt">></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"excludeMethods"</span><span
class="nt">></span>input,back,cancel,browse<span
class="nt"></param></span>
@@ -701,6 +716,11 @@ specified in the <code
class="highlighter-rouge"><interceptors/></code> ta
<td>Adds automatic checkbox handling code that detect an unchecked
checkbox and add it as a parameter with a default (usually ‘false’) value. Uses
a specially named hidden field to detect unsubmitted checkboxes. The default
unchecked value is overridable for non-boolean value’d checkboxes.</td>
</tr>
<tr>
+ <td><a href="coep-interceptor.html">COEP Interceptor</a></td>
+ <td>coep</td>
+ <td>Implements the Cross-Origin Embedder Policy on incoming requests
used to protect a document from loading any non-same-origin resources which
don’t explicitly grant the document permission to be loaded.</td>
+ </tr>
+ <tr>
<td><a href="conversion-error-interceptor.html">Conversion Error
Interceptor</a></td>
<td>conversionError</td>
<td>Adds conversion errors from the ActionContext to the Action’s field
errors</td>
@@ -716,6 +736,11 @@ specified in the <code
class="highlighter-rouge"><interceptors/></code> ta
<td>Transfer cookies from action to response (Since 2.3.15.)</td>
</tr>
<tr>
+ <td><a href="coop-interceptor.html">COOP Interceptor</a></td>
+ <td>coop</td>
+ <td>Implements the Cross-Origin Opener Policy on incoming requests used
to isolate resources against side-channel attacks and information leaks.</td>
+ </tr>
+ <tr>
<td><a href="create-session-interceptor.html">Create Session
Interceptor</a></td>
<td>createSession</td>
<td>Create an HttpSession automatically, useful with certain
Interceptors that require a HttpSession to work properly (like the
TokenInterceptor)</td>
@@ -746,6 +771,11 @@ specified in the <code
class="highlighter-rouge"><interceptors/></code> ta
<td>Executes the Action in the background and then sends the user off to
an intermediate waiting page.</td>
</tr>
<tr>
+ <td><a href="fetch-metadata-interceptor.html">Fetch Metadata
Interceptor</a></td>
+ <td>fetchMetadata</td>
+ <td>Implements the Resource Isolation Policies on incoming requests used
to protect against CSRF, XSSI, and cross-origin information leaks.</td>
+ </tr>
+ <tr>
<td><a href="file-upload-interceptor.html">File Upload
Interceptor</a></td>
<td>fileUpload</td>
<td>An Interceptor that adds easy access to file upload support.</td>
diff --git a/output/core-developers/struts-default-xml.html
b/output/core-developers/struts-default-xml.html
index 29f0ea2..563e8e1 100644
--- a/output/core-developers/struts-default-xml.html
+++ b/output/core-developers/struts-default-xml.html
@@ -384,11 +384,14 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"alias"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.AliasInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"autowiring"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"chain"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ChainingInterceptor"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoepInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"conversionError"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.StrutsConversionErrorInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookie"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cookieProvider"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CookieProviderInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"clearSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ClearSessionInterceptor"</span> <span
class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoopInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"createSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CreateSessionInterceptor"</span>
<span class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.csp.CspInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"debugging"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.debugging.DebuggingInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"execAndWait"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ExecuteAndWaitInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"exception"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor"</span><span
class="nt">/></span>
@@ -520,6 +523,9 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"alias"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"servletConfig"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"i18n"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"prepare"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"chain"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"scopedModelDriven"</span><span
class="nt">/></span>
@@ -532,6 +538,15 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"actionMappingParams"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"params"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"conversionError"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"fetchMetadata"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"validation"</span><span
class="nt">></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"excludeMethods"</span><span
class="nt">></span>input,back,cancel,browse<span
class="nt"></param></span>
diff --git a/output/security/index.html b/output/security/index.html
index 35a02f7..76a42e8 100644
--- a/output/security/index.html
+++ b/output/security/index.html
@@ -155,6 +155,8 @@
<li><a href="#ognl-is-used-to-call-actions-methods"
id="markdown-toc-ognl-is-used-to-call-actions-methods">OGNL is used to call
action’s methods</a></li>
<li><a href="#accepted--excluded-patterns"
id="markdown-toc-accepted--excluded-patterns">Accepted / Excluded
patterns</a></li>
<li><a href="#strict-method-invocation"
id="markdown-toc-strict-method-invocation">Strict Method Invocation</a></li>
+ <li><a href="#resource-isolation-using-fetch-metadata"
id="markdown-toc-resource-isolation-using-fetch-metadata">Resource Isolation
Using Fetch Metadata</a></li>
+ <li><a href="#cross-origin-isolation-with-coop-and-coep"
id="markdown-toc-cross-origin-isolation-with-coop-and-coep">Cross Origin
Isolation with COOP and COEP</a></li>
</ul>
</li>
</ul>
@@ -429,6 +431,29 @@ If you were using <code
class="highlighter-rouge">excludeParams</code> previous
via <a
href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read
more in the Strict Method Invocation section of <a
href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
+<h3 id="resource-isolation-using-fetch-metadata">Resource Isolation Using
Fetch Metadata</h3>
+
+<p>Fetch Metadata is a mitigation against common cross origin attacks such as
Cross-Site Request Forgery (CSRF). It is a web platform security feature
designed to help servers defend themselves against cross-origin attacks based
on the preferred resource isolation policy. The browser provides information
about the context of an HTTP request in a set of <code
class="highlighter-rouge">Sec-Fetch-*</code> headers. This allows the server
processing the request to make decisions on whether t [...]
+
+<p>A Resource Isolation Policy prevents the resources on a server from being
requested by external websites. This policy can be enabled for all endpoints of
the application or the endpoints that are meant to be loaded in a cross-site
context can be exempted from applying the policy. Read more about Fetch
Metadata and resource isolation <a
href="https://web.dev/fetch-metadata/";>here</a>.</p>
+
+<p>This mechanism is implemented in Struts using the <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>. Refer to the documentation for <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a> instructions on how to enable Fetch Metadata.</p>
+
+<h3 id="cross-origin-isolation-with-coop-and-coep">Cross Origin Isolation with
COOP and COEP</h3>
+
+<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy";>Cross-Origin
Opener Policy</a> is a security mitigation that lets developers isolate their
resources against side-channel attacks and information leaks. The COOP response
header allows a document to request a new browsing context group to better
isolate itself from other untrustworthy origins.</p>
+
+<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy";>Cross-Origin
Embedder Policy</a> prevents a document from loading any cross-origin
resources which don’t explicitly grant the document permission to be loaded.</p>
+
+<p>COOP and COEP are independent mechanisms that can be enabled, tested and
deployed separately. While enabling one doesn’t require developers to enable
the other, when set together COOP and COEP allows developers to use powerful
features (such as <code class="highlighter-rouge">SharedArrayBuffer</code>,
<code class="highlighter-rouge">performance.measureMemory()</code> and the JS
Self-Profiling API) securely, without worrying about side channel attacks like
<a href="https://meltdownatta [...]
+
+<p>The recommended configuration for the policies are:</p>
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>Cross-Origin-Embedder-Policy: require-corp;
+Cross-Origin-Opener-Policy: same-origin;
+</code></pre></div></div>
+
+<p>COOP and COEP are implemented in Struts using <a
href="../core-developers/coop-interceptor.html">CoopInterceptor</a> and <a
href="../core-developers/coep-interceptor.html">CoepInterceptor</a>.</p>
+
</section>
</article>
![https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"](https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"){kind=link}