This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 30baf20 Updates stage by Jenkins
30baf20 is described below
commit 30baf209b9f7814db31deede39c35a598500bf65
Author: jenkins <bui...@apache.org>
AuthorDate: Mon Sep 28 11:34:49 2020 +0000
Updates stage by Jenkins
---
content/announce.html | 34 +++++++++
content/archetype-catalog.xml | 14 ++--
.../coep-interceptor.html} | 83 ++++++++--------------
.../coop-interceptor.html} | 60 +++++++---------
.../fetch-metadata-interceptor.html} | 81 ++++++++-------------
content/core-developers/interceptors.html | 19 +++++
content/core-developers/struts-default-xml.html | 4 ++
content/download.html | 44 ++++++------
content/index.html | 10 +--
content/releases.html | 13 +++-
content/security/index.html | 25 +++++++
content/tag-developers/css-xhtml-theme.html | 2 +-
content/tag-developers/simple-theme.html | 2 +-
content/tag-developers/xhtml-theme.html | 6 +-
14 files changed, 221 insertions(+), 176 deletions(-)
diff --git a/content/announce.html b/content/announce.html
index 1444b0e..9874080 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -131,6 +131,7 @@
<h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
<ul id="markdown-toc">
+ <li><a href="#a20200928" id="markdown-toc-a20200928">28 September 2020 -
Struts 2.5.25 General Availability</a></li>
<li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues</a></li>
</ul>
@@ -138,6 +139,39 @@
Skip to: <a href="announce-2019.html">Announcements - 2019</a>
</p>
+<h4 id="a20200928">28 September 2020 - Struts 2.5.25 General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.5.25 is
available as a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
+The framework has been designed to streamline the full development cycle, from
building, to deploying,
+to maintaining applications over time.</p>
+
+<p>Below is a full list of all changes:</p>
+
+<ul>
+ <li>Package Level Properties in Global Results</li>
+ <li>AbstractMatcher adds values to the map passed into replaceParameters</li>
+ <li>Minor bug in single file upload example of the Showcase application</li>
+ <li>Unable to set long pathname variables</li>
+ <li>s:set with empty body</li>
+ <li>AliasInterceptor doesn’t properly handle Parameter.Empty</li>
+ <li>Improve build behaviour on JDK9+</li>
+ <li>Update multiple Struts 2.5.x libraries / Maven build plugin versions</li>
+ <li>Upgrade OSGi to the latest version</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<p>The 2.5.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 7.</p>
+
+<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
+<p>You can download this version from our <a
href="download.cgi#struts-ga">download</a> page.</p>
+
<h4 id="a20200813">13 August 2020 - Security Advice: Announcing CVE-2019-0230
(Possible RCE) and CVE-2019-0233 (DoS) security issues</h4>
<p>Two new <a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts
Security Bulletins</a> have been issued for Struts 2 by the Apache Struts
Security Team:</p>
diff --git a/content/archetype-catalog.xml b/content/archetype-catalog.xml
index 78a6192..dbeb5f8 100644
--- a/content/archetype-catalog.xml
+++ b/content/archetype-catalog.xml
@@ -7,49 +7,49 @@
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-blank</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Blank</description>
</archetype>
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-convention</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Blank Convention</description>
</archetype>
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-dbportlet</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Database Portlet</description>
</archetype>
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-plugin</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Plugin</description>
</archetype>
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-portlet</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Portlet</description>
</archetype>
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-starter</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Starter</description>
</archetype>
<archetype>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-archetype-angularjs</artifactId>
- <version>2.5.14</version>
+ <version>2.5.22</version>
<repository>https://repository.apache.org/content/groups/public/</repository>
<description>Struts 2 Archetypes - Angular JS</description>
</archetype>
diff --git a/content/tag-developers/simple-theme.html
b/content/core-developers/coep-interceptor.html
similarity index 71%
copy from content/tag-developers/simple-theme.html
copy to content/core-developers/coep-interceptor.html
index 7abc265..c290d03 100644
--- a/content/tag-developers/simple-theme.html
+++ b/content/core-developers/coep-interceptor.html
@@ -7,7 +7,7 @@
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <title>Tag Developers Guide</title>
+ <title>COEP Interceptor</title>
<link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
<link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
@@ -126,62 +126,41 @@
<article class="container">
<section class="col-md-12">
- <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/tag-developers/simple-theme.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/core-developers/coep-interceptor.md";
title="Edit this page on GitHub">Edit on GitHub</a>
- <a href="themes-and-templates.html" title="back to Themes and
Templates"><< back to Themes and Templates</a>
+ <a href="interceptors.html" title="back to Interceptors"><< back to
Interceptors</a>
- <h1 class="no_toc" id="simple-theme">simple theme</h1>
+ <h1 id="fetch-metadata-interceptor">Fetch Metadata Interceptor</h1>
-<ul id="markdown-toc">
- <li><a href="#head-tag" id="markdown-toc-head-tag">Head Tag</a></li>
- <li><a href="#simple-head-template"
id="markdown-toc-simple-head-template">simple head template</a></li>
-</ul>
+<h2 id="description">Description</h2>
+
+<p>Interceptor that implements Cross-Origin Embedder Policy on incoming
requests.</p>
+
+<p>COEP prevents the document from loading any framed documents which don’t
opt-in by setting the COEP header. (<code
class="highlighter-rouge">Cross-Origin-Embedder-Policy: require-corp</code>).
This provides protection for documents that don’t restrict framing. A document
that doesn’t set COEP cannot be framed by another document with COEP. All
descendents of a document with COEP will also enforce the same restrictions.</p>
+
+<p>COEP is now supported by all major browsers.</p>
-<p>The simple theme renders “bare bones” HTML elements. The simple theme is
most often used as a starting point for other
-themes. (See <a href="extending-themes.html">Extending Themes</a> for
more.)</p>
-
-<p>For example, the <a href="textfield-tag.html">textfield</a> tag renders the
HTML <code class="highlighter-rouge"><input/></code> tag without a label,
validation, error
-reporting, or any other formatting or functionality.</p>
-
-<blockquote>
- <p>Both the <a href="xhtml-theme.html">xhtml theme</a> and <a
href="css-xhtml-theme.xhtml">css_xhtml theme</a> extend the simple theme. Look
-to them for examples of how to build on the foundation laid by the simple
theme.</p>
-</blockquote>
-
-<h2 id="head-tag">Head Tag</h2>
-
-<p>The simple theme <a href="head-tag.html">head</a> template prints out a
javascript include required
-for the <a href="dojo-datetimepicker-tag.html">datetimepicker</a> tag to
render properly.</p>
-
-<h2 id="simple-head-template">simple head template</h2>
-
-<p>The <a href="simple-theme.html">simple theme</a><a
href="head-tag.html">head</a> template only does one thing: it loads the
minimal
-Ajax/Dojo support so that tags can import Dojo widgets easily.</p>
-
-<p>The source of the simple <code class="highlighter-rouge">head.ftl</code>
template is:</p>
-
-<figure class="highlight"><pre><code class="language-freemarker"
data-lang="freemarker"><#--
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
--->
-<script src="${base}/struts/utils.js"
type="text/javascript"></script></code></pre></figure>
+<p><a href="https://web.dev/why-coop-coep/#coep";>More information about
COEP</a>.</p>
+
+<h2 id="parameters">Parameters</h2>
+
+<ul>
+ <li><code class="highlighter-rouge">exemptedPaths</code> - Set of opt out
endpoints that are meant to serve cross-site traffic. Paths should contain
leading slashes and must be relative. This field is empty by default.</li>
+ <li><code class="highlighter-rouge">enforcingMode</code> - Boolean variable
allowing the user to let COEP operate in <code
class="highlighter-rouge">enforcing</code>, which blocks both resource and
reports violations, or <code class="highlighter-rouge">report-only</code> mode,
which only reports violations. Default value for field is <code
class="highlighter-rouge">false</code>.</li>
+ <li><code class="highlighter-rouge">disabled</code> - Boolean variable
disabling and enabling COEP. Default value for field is <code
class="highlighter-rouge">false</code>.</li>
+</ul>
+<h2 id="examples">Examples</h2>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><action</span> <span
class="na">name=</span><span class="s">"someAction"</span> <span
class="na">class=</span><span class="s">"com.examples.SomeAction"</span><span
class="nt">></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"defaultStack"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coepInterceptor.exemptedPaths"</span><span
class="nt">></span>/path1,/path2,/path3<span class="nt"></param></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coepInterceptor.enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coepInterceptor.disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"success"</span><span class="nt">></span>good_result.ftl<span
class="nt"></result></span>
+<span class="nt"></action></span>
+</code></pre></div></div>
</section>
</article>
diff --git a/content/announce.html
b/content/core-developers/coop-interceptor.html
similarity index 66%
copy from content/announce.html
copy to content/core-developers/coop-interceptor.html
index 1444b0e..1c40203 100644
--- a/content/announce.html
+++ b/content/core-developers/coop-interceptor.html
@@ -7,7 +7,7 @@
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <title>Announcements 2020</title>
+ <title>COOP Interceptor</title>
<link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
<link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
@@ -126,52 +126,46 @@
<article class="container">
<section class="col-md-12">
- <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/announce.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/core-developers/coop-interceptor.md";
title="Edit this page on GitHub">Edit on GitHub</a>
- <h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
-
-<ul id="markdown-toc">
- <li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues</a></li>
-</ul>
+ <a href="interceptors.html" title="back to Interceptors"><< back to
Interceptors</a>
+
+ <h1 id="fetch-metadata-interceptor">Fetch Metadata Interceptor</h1>
-<p class="pull-right">
- Skip to: <a href="announce-2019.html">Announcements - 2019</a>
-</p>
+<h2 id="description">Description</h2>
-<h4 id="a20200813">13 August 2020 - Security Advice: Announcing CVE-2019-0230
(Possible RCE) and CVE-2019-0233 (DoS) security issues</h4>
+<p>Interceptor that implements Cross-Origin Opener Policy on incoming
requests.</p>
-<p>Two new <a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts
Security Bulletins</a> have been issued for Struts 2 by the Apache Struts
Security Team:</p>
+<p>COOP is a security mitigation that lets developers isolate their resources
against side-channel attacks and information leaks. The COOP response header
allows a document to request a new browsing context group to better isolate
itself from other untrustworthy origins. Separating browsing contexts is
necessary because at least two types of attacks are possible when a document
shares a browsing context group and possibly an operating system process with
cross-origin documents:</p>
<ul>
- <li><a
href="https://cwiki.apache.org/confluence/display/ww/s2-059";>S2-059</a> -
Forced double OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution (CVE-2019-0230)</li>
- <li><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>S2-060</a> -
Access permission override causing a Denial of Service when performing a file
upload (CVE-2019-0233)</li>
+ <li>Cross-window attacks. A malicious document can open a victim document in
a new window and later navigate the window to a look-alike document to trick
the user, or attempt to exploit postMessage vulnerabilities in the victim
document.</li>
+ <li>Process-wide attacks. Side channel and transient execution attacks like
Spectre may provide an opportunity to the malicious document to get access to
sensitive data from the victim document, if they share an OS process.</li>
</ul>
-<p>Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. The
current version 2.5.22, which was released in November 2019, is not
affected.</p>
+<p>The COOP header can have one of 3 values: <code
class="highlighter-rouge">same-origin</code>, <code
class="highlighter-rouge">same-origin-allow-popups</code>, <code
class="highlighter-rouge">unsafe-none</code>. If the COOP values are the same,
and the origins of the documents match the relationship declared in the COOP
header value, documents can interact with each other. Otherwise if at least one
of the documents sets COOP, the browser will create a new browsing context
group severi [...]
-<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-059";>CVE-2019-0230</a>
has been reported by Matthias Kaiser, Apple Information Security.
-By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
-When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
-In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
-<strong>However, we continue to urge developers building upon Struts 2 to <a
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use <code class="highlighter-rouge">%{...}</code> or <code
class="highlighter-rouge">${...}</code> syntax referencing unvalidated user
modifiable input in tag attributes </a>, since this is the ultimate fix for
this class of vulnerabilities.</strong></p>
+<p>COOP is now supported by all major browsers.</p>
-<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>CVE-2019-0233</a>
has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
-In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.</p>
+<p><a href="https://web.dev/why-coop-coep/#coop";>More information about
COOP</a>.</p>
-<p>Both issues are already fixed in Apache Struts <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>2.5.22</a>,
which was released in November 2019.</p>
+<h2 id="parameters">Parameters</h2>
-<p><strong>We strongly recommend all users to <a
href="download.cgi#struts-ga">upgrade</a> to Struts 2.5.22, if this has not
been done already.</strong></p>
-
-<p>The Apache Struts Security Team would like to thank the reporters for their
efforts and their practice of responsible disclosure, as well as their help
while investigating the report and coordinating public disclosure.</p>
+<ul>
+ <li><code class="highlighter-rouge">exemptedPaths</code> - Set of opt out
endpoints that are meant to serve cross-site traffic. Paths should contain
leading slashes and must be relative. This field is empty by default.</li>
+ <li><code class="highlighter-rouge">mode</code> - The policy mode COOP
should follow. Available modes are <code
class="highlighter-rouge">same-origin</code>, <code
class="highlighter-rouge">same-origin-allow-popups</code>, <code
class="highlighter-rouge">unsafe-none</code>. Default mode is <code
class="highlighter-rouge">same-origin</code>.</li>
+</ul>
-<p class="pull-right">
- Skip to: <a href="announce-2019.html">Announcements - 2019</a>
-</p>
+<h2 id="examples">Examples</h2>
-<p class="pull-left">
- <strong>Next:</strong>
- <a href="kickstart.html">Kickstart FAQ</a>
-</p>
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><action</span> <span
class="na">name=</span><span class="s">"someAction"</span> <span
class="na">class=</span><span class="s">"com.examples.SomeAction"</span><span
class="nt">></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"defaultStack"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coopInterceptor.exemptedPaths"</span><span
class="nt">></span>/path1,/path2,/path3<span class="nt"></param></span>
+ <span class="nt"><param</span> <span class="na">name=</span><span
class="s">"coopInterceptor.mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"success"</span><span class="nt">></span>good_result.ftl<span
class="nt"></result></span>
+<span class="nt"></action></span>
+</code></pre></div></div>
</section>
</article>
diff --git a/content/tag-developers/simple-theme.html
b/content/core-developers/fetch-metadata-interceptor.html
similarity index 72%
copy from content/tag-developers/simple-theme.html
copy to content/core-developers/fetch-metadata-interceptor.html
index 7abc265..beb1bc9 100644
--- a/content/tag-developers/simple-theme.html
+++ b/content/core-developers/fetch-metadata-interceptor.html
@@ -7,7 +7,7 @@
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <title>Tag Developers Guide</title>
+ <title>Fetch Metadata Interceptor</title>
<link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
<link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
@@ -126,62 +126,41 @@
<article class="container">
<section class="col-md-12">
- <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/tag-developers/simple-theme.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/core-developers/fetch-metadata-interceptor.md";
title="Edit this page on GitHub">Edit on GitHub</a>
- <a href="themes-and-templates.html" title="back to Themes and
Templates"><< back to Themes and Templates</a>
+ <a href="interceptors.html" title="back to Interceptors"><< back to
Interceptors</a>
- <h1 class="no_toc" id="simple-theme">simple theme</h1>
+ <h1 id="fetch-metadata-interceptor">Fetch Metadata Interceptor</h1>
-<ul id="markdown-toc">
- <li><a href="#head-tag" id="markdown-toc-head-tag">Head Tag</a></li>
- <li><a href="#simple-head-template"
id="markdown-toc-simple-head-template">simple head template</a></li>
+<h2 id="description">Description</h2>
+
+<p>An interceptor that implements Fetch Metadata on incoming requests used to
protect against CSRF, XSSI, and cross-origin information leaks. Uses a default
Resource Isolation Policy to programmatically reject cross-origin requests.</p>
+
+<p>A Resource Isolation Policy is a strong defense in-depth mechanism that
prevents the resources on a server from being requested by external websites.
This policy can be enabled either for all endpoints of the application and
endpoints that are meant to be loaded in a cross-site context can be exempted
from the policy.</p>
+
+<p>The browser provides information about the context of an HTTP request in a
set of <code class="highlighter-rouge">Sec-Fetch-*</code> headers. This allows
the server processing the request to make decisions on whether the request
should be accepted or rejected based on the preferred resource isolation
policy. Struts provides a default Resource Isolation Policy that rejects
cross-origin requests that aren’t top level navigations.</p>
+
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>Sec-Fetch-Site == 'cross-site' AND (Sec-Fetch-Mode !=
'navigate'/'nested-navigate' OR method NOT IN [GET, HEAD])
+</code></pre></div></div>
+
+<p>Refer to <a
href="https://web.dev/fetch-metadata/#implementing-a-resource-isolation-policy";>Implementing
a Resource Isolation Policy</a> for further information on implementing
effective Resource Isolation Policies.
+Fetch Metadata is supported in all major browsers</p>
+
+<h2 id="parameters">Parameters</h2>
+
+<ul>
+ <li><code class="highlighter-rouge">exemptedPaths</code> - Set of opt out
endpoints that are meant to serve cross-site traffic. Paths should contain
leading slashes and must be relative. This field is empty by default.</li>
</ul>
-<p>The simple theme renders “bare bones” HTML elements. The simple theme is
most often used as a starting point for other
-themes. (See <a href="extending-themes.html">Extending Themes</a> for
more.)</p>
-
-<p>For example, the <a href="textfield-tag.html">textfield</a> tag renders the
HTML <code class="highlighter-rouge"><input/></code> tag without a label,
validation, error
-reporting, or any other formatting or functionality.</p>
-
-<blockquote>
- <p>Both the <a href="xhtml-theme.html">xhtml theme</a> and <a
href="css-xhtml-theme.xhtml">css_xhtml theme</a> extend the simple theme. Look
-to them for examples of how to build on the foundation laid by the simple
theme.</p>
-</blockquote>
-
-<h2 id="head-tag">Head Tag</h2>
-
-<p>The simple theme <a href="head-tag.html">head</a> template prints out a
javascript include required
-for the <a href="dojo-datetimepicker-tag.html">datetimepicker</a> tag to
render properly.</p>
-
-<h2 id="simple-head-template">simple head template</h2>
-
-<p>The <a href="simple-theme.html">simple theme</a><a
href="head-tag.html">head</a> template only does one thing: it loads the
minimal
-Ajax/Dojo support so that tags can import Dojo widgets easily.</p>
-
-<p>The source of the simple <code class="highlighter-rouge">head.ftl</code>
template is:</p>
-
-<figure class="highlight"><pre><code class="language-freemarker"
data-lang="freemarker"><#--
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
--->
-<script src="${base}/struts/utils.js"
type="text/javascript"></script></code></pre></figure>
+<h2 id="examples">Examples</h2>
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><action</span> <span
class="na">name=</span><span class="s">"someAction"</span> <span
class="na">class=</span><span class="s">"com.examples.SomeAction"</span><span
class="nt">></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"defaultStack"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span
class="s">"fetchMetadata.exemptedPaths"</span><span
class="nt">></span>/path1,/path2,/path3<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"success"</span><span class="nt">></span>good_result.ftl<span
class="nt"></result></span>
+<span class="nt"></action></span>
+</code></pre></div></div>
</section>
</article>
diff --git a/content/core-developers/interceptors.html
b/content/core-developers/interceptors.html
index 6d59f5d..5f8782e 100644
--- a/content/core-developers/interceptors.html
+++ b/content/core-developers/interceptors.html
@@ -474,6 +474,7 @@ than reiterate the same list of Interceptors, we can bundle
these Interceptors t
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"clearSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ClearSessionInterceptor"</span> <span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoopInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"createSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CreateSessionInterceptor"</span>
<span class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.csp.CspInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"debugging"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.debugging.DebuggingInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"execAndWait"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ExecuteAndWaitInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"exception"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor"</span><span
class="nt">/></span>
@@ -605,6 +606,9 @@ than reiterate the same list of Interceptors, we can bundle
these Interceptors t
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"alias"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"servletConfig"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"i18n"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"prepare"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"chain"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"scopedModelDriven"</span><span
class="nt">/></span>
@@ -712,6 +716,11 @@ specified in the <code
class="highlighter-rouge"><interceptors/></code> ta
<td>Adds automatic checkbox handling code that detect an unchecked
checkbox and add it as a parameter with a default (usually ‘false’) value. Uses
a specially named hidden field to detect unsubmitted checkboxes. The default
unchecked value is overridable for non-boolean value’d checkboxes.</td>
</tr>
<tr>
+ <td><a href="coep-interceptor.html">COEP Interceptor</a></td>
+ <td>coep</td>
+ <td>Implements the Cross-Origin Embedder Policy on incoming requests
used to protect a document from loading any non-same-origin resources which
don’t explicitly grant the document permission to be loaded.</td>
+ </tr>
+ <tr>
<td><a href="conversion-error-interceptor.html">Conversion Error
Interceptor</a></td>
<td>conversionError</td>
<td>Adds conversion errors from the ActionContext to the Action’s field
errors</td>
@@ -727,6 +736,11 @@ specified in the <code
class="highlighter-rouge"><interceptors/></code> ta
<td>Transfer cookies from action to response (Since 2.3.15.)</td>
</tr>
<tr>
+ <td><a href="coop-interceptor.html">COOP Interceptor</a></td>
+ <td>coop</td>
+ <td>Implements the Cross-Origin Opener Policy on incoming requests used
to isolate resources against side-channel attacks and information leaks.</td>
+ </tr>
+ <tr>
<td><a href="create-session-interceptor.html">Create Session
Interceptor</a></td>
<td>createSession</td>
<td>Create an HttpSession automatically, useful with certain
Interceptors that require a HttpSession to work properly (like the
TokenInterceptor)</td>
@@ -757,6 +771,11 @@ specified in the <code
class="highlighter-rouge"><interceptors/></code> ta
<td>Executes the Action in the background and then sends the user off to
an intermediate waiting page.</td>
</tr>
<tr>
+ <td><a href="fetch-metadata-interceptor.html">Fetch Metadata
Interceptor</a></td>
+ <td>fetchMetadata</td>
+ <td>Implements the Resource Isolation Policies on incoming requests used
to protect against CSRF, XSSI, and cross-origin information leaks.</td>
+ </tr>
+ <tr>
<td><a href="file-upload-interceptor.html">File Upload
Interceptor</a></td>
<td>fileUpload</td>
<td>An Interceptor that adds easy access to file upload support.</td>
diff --git a/content/core-developers/struts-default-xml.html
b/content/core-developers/struts-default-xml.html
index fd66c6a..563e8e1 100644
--- a/content/core-developers/struts-default-xml.html
+++ b/content/core-developers/struts-default-xml.html
@@ -391,6 +391,7 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"clearSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ClearSessionInterceptor"</span> <span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CoopInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"createSession"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.CreateSessionInterceptor"</span>
<span class="nt">/></span>
+ <span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.csp.CspInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"debugging"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.debugging.DebuggingInterceptor"</span>
<span class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"execAndWait"</span> <span
class="na">class=</span><span
class="s">"org.apache.struts2.interceptor.ExecuteAndWaitInterceptor"</span><span
class="nt">/></span>
<span class="nt"><interceptor</span> <span
class="na">name=</span><span class="s">"exception"</span> <span
class="na">class=</span><span
class="s">"com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor"</span><span
class="nt">/></span>
@@ -522,6 +523,9 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"alias"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"servletConfig"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"i18n"</span><span
class="nt">/></span>
+ <span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"cspInterceptor"</span><span
class="nt">></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
+ <span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"prepare"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"chain"</span><span
class="nt">/></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"scopedModelDriven"</span><span
class="nt">/></span>
diff --git a/content/download.html b/content/download.html
index 998c96b..4cfb48c 100644
--- a/content/download.html
+++ b/content/download.html
@@ -190,26 +190,26 @@
<h2 id="struts-ga">Full Releases</h2>
-<h3 id="struts2522">Struts 2.5.22</h3>
+<h3 id="struts2525">Struts 2.5.25</h3>
<p>
- <a href="https://struts.apache.org/";>Apache Struts 2.5.22</a> is an elegant,
extensible
+ <a href="https://struts.apache.org/";>Apache Struts 2.5.25</a> is an elegant,
extensible
framework for creating enterprise-ready Java web applications. It is
available in a full distribution,
or as separate library, source, example and documentation distributions.
- Struts 2.5.22 is the "best available" version of Struts in the 2.5 series.
+ Struts 2.5.25 is the "best available" version of Struts in the 2.5 series.
</p>
<ul>
<li>
- <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>Version
Notes</a>
+ <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.25";>Version
Notes</a>
</li>
<li>Full Distribution:
<ul>
<li>
- <a
href="[preferred]struts/2.5.22/struts-2.5.22-all.zip">struts-2.5.22-all.zip</a>
(65MB)
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-all.zip.asc";>PGP</a>]
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-all.zip.sha256";>SHA256</a>]
+ <a
href="[preferred]struts/2.5.25/struts-2.5.25-all.zip">struts-2.5.25-all.zip</a>
(65MB)
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-all.zip.asc";>PGP</a>]
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-all.zip.sha256";>SHA256</a>]
</li>
</ul>
</li>
@@ -217,9 +217,9 @@
<li>Example Applications:
<ul>
<li>
- <a
href="[preferred]struts/2.5.22/struts-2.5.22-apps.zip">struts-2.5.22-apps.zip</a>
(35MB)
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-apps.zip.asc";>PGP</a>]
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-apps.zip.sha256";>SHA256</a>]
+ <a
href="[preferred]struts/2.5.25/struts-2.5.25-apps.zip">struts-2.5.25-apps.zip</a>
(35MB)
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-apps.zip.asc";>PGP</a>]
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-apps.zip.sha256";>SHA256</a>]
</li>
</ul>
</li>
@@ -227,9 +227,9 @@
<li>Essential Dependencies Only:
<ul>
<li>
- <a
href="[preferred]struts/2.5.22/struts-2.5.22-min-lib.zip">struts-2.5.22-min-lib.zip</a>
(4MB)
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-min-lib.zip.asc";>PGP</a>]
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-min-lib.zip.sha256";>SHA256</a>]
+ <a
href="[preferred]struts/2.5.25/struts-2.5.25-min-lib.zip">struts-2.5.25-min-lib.zip</a>
(4MB)
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-min-lib.zip.asc";>PGP</a>]
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-min-lib.zip.sha256";>SHA256</a>]
</li>
</ul>
</li>
@@ -237,9 +237,9 @@
<li>All Dependencies:
<ul>
<li>
- <a
href="[preferred]struts/2.5.22/struts-2.5.22-lib.zip">struts-2.5.22-lib.zip</a>
(19MB)
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-lib.zip.asc";>PGP</a>]
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-lib.zip.sha256";>SHA256</a>]
+ <a
href="[preferred]struts/2.5.25/struts-2.5.25-lib.zip">struts-2.5.25-lib.zip</a>
(19MB)
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-lib.zip.asc";>PGP</a>]
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-lib.zip.sha256";>SHA256</a>]
</li>
</ul>
</li>
@@ -247,9 +247,9 @@
<li>Documentation:
<ul>
<li>
- <a
href="[preferred]struts/2.5.22/struts-2.5.22-docs.zip">struts-2.5.22-docs.zip</a>
(13MB)
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-docs.zip.asc";>PGP</a>]
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-docs.zip.sha256";>SHA256</a>]
+ <a
href="[preferred]struts/2.5.25/struts-2.5.25-docs.zip">struts-2.5.25-docs.zip</a>
(13MB)
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-docs.zip.asc";>PGP</a>]
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-docs.zip.sha256";>SHA256</a>]
</li>
</ul>
</li>
@@ -257,9 +257,9 @@
<li>Source:
<ul>
<li>
- <a
href="[preferred]struts/2.5.22/struts-2.5.22-src.zip">struts-2.5.22-src.zip</a>
(7MB)
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-src.zip.asc";>PGP</a>]
- [<a
href="https://downloads.apache.org/struts/2.5.22/struts-2.5.22-src.zip.sha256";>SHA256</a>]
+ <a
href="[preferred]struts/2.5.25/struts-2.5.25-src.zip">struts-2.5.25-src.zip</a>
(7MB)
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-src.zip.asc";>PGP</a>]
+ [<a
href="https://downloads.apache.org/struts/2.5.25/struts-2.5.25-src.zip.sha256";>SHA256</a>]
</li>
</ul>
</li>
diff --git a/content/index.html b/content/index.html
index 475c2c2..068c9c0 100644
--- a/content/index.html
+++ b/content/index.html
@@ -132,7 +132,7 @@
extensible using a plugin architecture, and ships with plugins to support
REST, AJAX and JSON.
</p>
- <a href="download.cgi#struts2522" class="btn btn-primary btn-large">
+ <a href="download.cgi#struts2525" class="btn btn-primary btn-large">
<img src="img/download-icon.svg"> Download
</a>
<a href="primer.html" class="btn btn-info btn-large">
@@ -160,12 +160,12 @@
</p>
</div>
<div class="column col-md-4">
- <h2>Apache Struts 2.5.22 GA</h2>
+ <h2>Apache Struts 2.5.25 GA</h2>
<p>
- Apache Struts 2.5.22 GA has been released<br/>on 29 November 2019.
+ Apache Struts 2.5.25 GA has been released<br/>on 28 September 2020.
</p>
- Read more in <a href="announce-2019.html#a20191129">Announcement</a>
or in
- <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>Version
notes</a>
+ Read more in <a href="announce-2019.html#a20200928">Announcement</a>
or in
+ <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.25";>Version
notes</a>
</div>
</div>
<div class="row">
diff --git a/content/releases.html b/content/releases.html
index 18495d7..887d077 100644
--- a/content/releases.html
+++ b/content/releases.html
@@ -148,7 +148,7 @@
<ul>
<li>
<a href="/download.cgi#struts-ga">
- Struts 2.5.22
+ Struts 2.5.25
</a> ("best available")
</li>
</ul>
@@ -232,6 +232,17 @@
<tbody>
<tr>
<td class="no-wrap">
+ Struts 2.5.22
+ </td>
+ <td class="no-wrap">19 November 2019</td>
+ <td>
+ </td>
+ <td>
+ <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>Version
notes</a>
+ </td>
+ </tr>
+ <tr>
+ <td class="no-wrap">
Struts 2.5.20
</td>
<td class="no-wrap">14 January 2019</td>
diff --git a/content/security/index.html b/content/security/index.html
index 35a02f7..76a42e8 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -155,6 +155,8 @@
<li><a href="#ognl-is-used-to-call-actions-methods"
id="markdown-toc-ognl-is-used-to-call-actions-methods">OGNL is used to call
action’s methods</a></li>
<li><a href="#accepted--excluded-patterns"
id="markdown-toc-accepted--excluded-patterns">Accepted / Excluded
patterns</a></li>
<li><a href="#strict-method-invocation"
id="markdown-toc-strict-method-invocation">Strict Method Invocation</a></li>
+ <li><a href="#resource-isolation-using-fetch-metadata"
id="markdown-toc-resource-isolation-using-fetch-metadata">Resource Isolation
Using Fetch Metadata</a></li>
+ <li><a href="#cross-origin-isolation-with-coop-and-coep"
id="markdown-toc-cross-origin-isolation-with-coop-and-coep">Cross Origin
Isolation with COOP and COEP</a></li>
</ul>
</li>
</ul>
@@ -429,6 +431,29 @@ If you were using <code
class="highlighter-rouge">excludeParams</code> previous
via <a
href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read
more in the Strict Method Invocation section of <a
href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
+<h3 id="resource-isolation-using-fetch-metadata">Resource Isolation Using
Fetch Metadata</h3>
+
+<p>Fetch Metadata is a mitigation against common cross origin attacks such as
Cross-Site Request Forgery (CSRF). It is a web platform security feature
designed to help servers defend themselves against cross-origin attacks based
on the preferred resource isolation policy. The browser provides information
about the context of an HTTP request in a set of <code
class="highlighter-rouge">Sec-Fetch-*</code> headers. This allows the server
processing the request to make decisions on whether t [...]
+
+<p>A Resource Isolation Policy prevents the resources on a server from being
requested by external websites. This policy can be enabled for all endpoints of
the application or the endpoints that are meant to be loaded in a cross-site
context can be exempted from applying the policy. Read more about Fetch
Metadata and resource isolation <a
href="https://web.dev/fetch-metadata/";>here</a>.</p>
+
+<p>This mechanism is implemented in Struts using the <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>. Refer to the documentation for <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a> instructions on how to enable Fetch Metadata.</p>
+
+<h3 id="cross-origin-isolation-with-coop-and-coep">Cross Origin Isolation with
COOP and COEP</h3>
+
+<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy";>Cross-Origin
Opener Policy</a> is a security mitigation that lets developers isolate their
resources against side-channel attacks and information leaks. The COOP response
header allows a document to request a new browsing context group to better
isolate itself from other untrustworthy origins.</p>
+
+<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy";>Cross-Origin
Embedder Policy</a> prevents a document from loading any cross-origin
resources which don’t explicitly grant the document permission to be loaded.</p>
+
+<p>COOP and COEP are independent mechanisms that can be enabled, tested and
deployed separately. While enabling one doesn’t require developers to enable
the other, when set together COOP and COEP allows developers to use powerful
features (such as <code class="highlighter-rouge">SharedArrayBuffer</code>,
<code class="highlighter-rouge">performance.measureMemory()</code> and the JS
Self-Profiling API) securely, without worrying about side channel attacks like
<a href="https://meltdownatta [...]
+
+<p>The recommended configuration for the policies are:</p>
+<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>Cross-Origin-Embedder-Policy: require-corp;
+Cross-Origin-Opener-Policy: same-origin;
+</code></pre></div></div>
+
+<p>COOP and COEP are implemented in Struts using <a
href="../core-developers/coop-interceptor.html">CoopInterceptor</a> and <a
href="../core-developers/coep-interceptor.html">CoepInterceptor</a>.</p>
+
</section>
</article>
diff --git a/content/tag-developers/css-xhtml-theme.html
b/content/tag-developers/css-xhtml-theme.html
index 31c58de..1691abb 100644
--- a/content/tag-developers/css-xhtml-theme.html
+++ b/content/tag-developers/css-xhtml-theme.html
@@ -327,7 +327,7 @@ to provide the layout. The contents of
<strong>head.ftl</strong> are:</p>
* under the License.
*/
-->
-<link rel="stylesheet" href="<@s.url
value='/struts/css_xhtml/styles.css' includeParams='none' encode='false' />"
type="text/css" />
+<link <#include "/${parameters.templateDir}/simple/nonce.ftl" />
rel="stylesheet" href="<@s.url value='/struts/css_xhtml/styles.css'
includeParams='none' encode='false' />" type="text/css" />
<#include "/${parameters.templateDir}/simple/head.ftl"
/></code></pre></figure>
<p>The head includes a style sheet. The contents of
<strong>styles.css</strong> are:</p>
diff --git a/content/tag-developers/simple-theme.html
b/content/tag-developers/simple-theme.html
index 7abc265..025a46f 100644
--- a/content/tag-developers/simple-theme.html
+++ b/content/tag-developers/simple-theme.html
@@ -180,7 +180,7 @@ Ajax/Dojo support so that tags can import Dojo widgets
easily.</p>
* under the License.
*/
-->
-<script src="${base}/struts/utils.js"
type="text/javascript"></script></code></pre></figure>
+<script src="${base}/struts/utils.js" type="text/javascript" <#include
"/${parameters.templateDir}/simple/nonce.ftl" />
></script></code></pre></figure>
</section>
diff --git a/content/tag-developers/xhtml-theme.html
b/content/tag-developers/xhtml-theme.html
index 93c1868..45f4dd2 100644
--- a/content/tag-developers/xhtml-theme.html
+++ b/content/tag-developers/xhtml-theme.html
@@ -391,7 +391,7 @@ render the form elements.</p>
* under the License.
*/
-->
-<link rel="stylesheet" href="<@s.url value='/struts/xhtml/styles.css'
includeParams='none' encode='false' />" type="text/css"/>
+<link rel="stylesheet" href="<@s.url value='/struts/xhtml/styles.css'
includeParams='none' encode='false'/>" type="text/css" <#include
"/${parameters.templateDir}/simple/nonce.ftl" /> />
<#include "/${parameters.templateDir}/simple/head.ftl"
/></code></pre></figure>
<p>The head template imports a style sheet. The contents of
<strong>styles.css</strong> are:</p>
@@ -505,7 +505,7 @@ wrapping table, the opening and closing templates also, if
the <code class="high
<#include "/${parameters.templateDir}/simple/form-close.ftl" />
<#include
"/${parameters.templateDir}/${parameters.expandTheme}/form-close-validate.ftl"
/>
<#if parameters.focusElement??>
-<script type="text/javascript">
+<script type="text/javascript" <#include
"/${parameters.templateDir}/simple/nonce.ftl" /> >
StrutsUtils.addOnLoad(function() {
var element = document.getElementById("${parameters.focusElement}");
if(element) {
@@ -581,7 +581,7 @@ to <code class="highlighter-rouge">true</code>, enable <a
href="../core-develope
<#include "/${parameters.templateDir}/simple/form-close.ftl" />
<#include
"/${parameters.templateDir}/${parameters.expandTheme}/form-close-validate.ftl"
/>
<#if parameters.focusElement??>
-<script type="text/javascript">
+<script type="text/javascript" <#include
"/${parameters.templateDir}/simple/nonce.ftl" /> >
StrutsUtils.addOnLoad(function() {
var element = document.getElementById("${parameters.focusElement}");
if(element) {
