This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch csp-interceptor in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 5584851658228c499c9b3b3db32ab0ccb5090daf Author: Lukasz Lenart <[email protected]> AuthorDate: Mon Nov 28 15:28:06 2022 +0100 Adds missing info about CPS interceptor --- source/core-developers/csp-interceptor.md | 42 ++++++++++++++++ source/core-developers/interceptors.md | 79 ++++++++++++++++--------------- 2 files changed, 82 insertions(+), 39 deletions(-) diff --git a/source/core-developers/csp-interceptor.md b/source/core-developers/csp-interceptor.md new file mode 100644 index 000000000..82ed7e631 --- /dev/null +++ b/source/core-developers/csp-interceptor.md @@ -0,0 +1,42 @@ +--- +layout: default +title: CSP Interceptor +parent: + title: Interceptors + url: interceptors.html +--- + +# Content Security Policy Interceptor + +## Description + +Interceptor that implements Content Security Policy on incoming requests. + +Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, +including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, +to site defacement, to malware distribution. + +CSP can work in two modes, either **enforce** or **report**. In the report mode the `Content-Security-Policy-Report-Only` +header is sent and `Content-Security-Policy` header is used when using the enforce mode. + +CSP is now supported by all major browsers. + +[More information about CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). + +## Parameters + +- `enforcingMode` (default `false`) - When set to "true", the enforce mode has been enabled, and the provided policy + is going to be enforced. +- `reportUri` - an uri under, which the violations have to be reported. + +## Examples + +```xml +<action name="someAction" class="com.examples.SomeAction"> + <interceptor-ref name="defaultStack"> + <param name="csp.enforcingMode">true</param> + <param name="csp.reportUri">/csp-report.action</param> + </interceptor-ref> + <result name="success">good_result.ftl</result> +</action> +``` diff --git a/source/core-developers/interceptors.md b/source/core-developers/interceptors.md index ad050f667..8d041c12a 100644 --- a/source/core-developers/interceptors.md +++ b/source/core-developers/interceptors.md @@ -106,45 +106,46 @@ specified below come specified in [struts-default.xml](struts-default-xml). If y package, then you can use the names below. Otherwise, they must be defined in your package with a name-class pair specified in the `<interceptors/>` tag. -|Interceptor|Name|Description| -|-----------|----|-----------| -|[Alias Interceptor](alias-interceptor)|alias|Converts similar parameters that may be named differently between requests.| -|[Annotation Parameter Filter Interceptor](annotation-parameter-filter-interceptor)|annotationParameterFilter|Annotation based version of [Parameter Filter Interceptor](parameter-filter-interceptor).| -|[Annotation Workflow Interceptor](annotation-workflow-interceptor)|annotationWorkflow|Invokes any annotated methods on the action.| -|[Chaining Interceptor](chaining-interceptor)|chain|Makes the previous Action's properties available to the current Action. Commonly used together with <result type="chain"> (in the previous Action).| -|[Checckbox Interceptor](checkbox-interceptor)|checkbox|Adds automatic checkbox handling code that detect an unchecked checkbox and add it as a parameter with a default (usually 'false') value. Uses a specially named hidden field to detect unsubmitted checkboxes. The default unchecked value is overridable for non-boolean value'd checkboxes.| -|[COEP Interceptor](coep-interceptor)|coep|Implements the Cross-Origin Embedder Policy on incoming requests used to protect a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded.| -|[Conversion Error Interceptor](conversion-error-interceptor)|conversionError|Adds conversion errors from the ActionContext to the Action's field errors| -|[Cookie Interceptor](cookie-interceptor)|cookie|Inject cookie with a certain configurable name / value into action. (Since 2.0.7.)| -|[Cookie Provider Interceptor](cookie-provider-interceptor)|cookieProvider|Transfer cookies from action to response (Since 2.3.15.)| -|[COOP Interceptor](coop-interceptor)|coop|Implements the Cross-Origin Opener Policy on incoming requests used to isolate resources against side-channel attacks and information leaks.| -|[Create Session Interceptor](create-session-interceptor)|createSession|Create an HttpSession automatically, useful with certain Interceptors that require a HttpSession to work properly (like the TokenInterceptor)| -|[Clear Session Interceptor](clear-session-interceptor)|clearSession|This interceptor clears the HttpSession.| -|[Debugging Interceptor](debugging-interceptor)|debugging|Provides several different debugging screens to provide insight into the data behind the page.| -|[Default Workflow Interceptor](default-workflow-interceptor)|workflow|Calls the validate method in your Action class. If Action errors are created then it returns the INPUT view.| -|[Exception Interceptor](exception-interceptor)|exception|Maps exceptions to a result.| -|[Execute and Wait Interceptor](execute-and-wait-interceptor)|execAndWait|Executes the Action in the background and then sends the user off to an intermediate waiting page.| -|[Fetch Metadata Interceptor](fetch-metadata-interceptor)|fetchMetadata|Implements the Resource Isolation Policies on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks.| -|[File Upload Interceptor](file-upload-interceptor)|fileUpload|An Interceptor that adds easy access to file upload support.| -|[I18n Interceptor](i18n-interceptor)|i18n|Remembers the locale selected for a user's session.| -|[Logging Interceptor](logging-interceptor)|logger|Outputs the name of the Action.| -|[Message Store Interceptor](message-store-interceptor)|store|Store and retrieve action messages / errors / field errors for action that implements ValidationAware interface into session.| -|[Model Driven Interceptor](model-driven-interceptor.htm)|modelDriven|If the Action implements ModelDriven, pushes the getModel Result onto the Value Stack.| -|[Multiselect Interceptor](multiselect-interceptor)|multiselect|Like the checkbox interceptor detects that no value was selected for a field with multiple values (like a select) and adds an empty parameter| -|[NoOp Interceptor](no-op-interceptor)|noop|Does nothing, just passes invocation further, used in empty stack| -|[Parameter Filter Interceptor](parameter-filter-interceptor)|parameterFilter|Removes parameters from the list of those available to Actions| -|[Parameters Interceptor](parameters-interceptor)|params|Sets the request parameters onto the Action.| -|[Parameter Remover Interceptor](parameter-remover-interceptor)|paramRemover|Removes a parameter from parameters map.| -|[Prepare Interceptor](prepare-interceptor)|prepare|If the Action implements Preparable, calls its prepare method.| -|[Roles Interceptor](roles-interceptor)|roles|Action will only be executed if the user has the correct JAAS role.| -|[Scope Interceptor](scope-interceptor)|scope|Simple mechanism for storing Action state in the session or application scope.| -|[Scoped Model Driven Interceptor](scoped-model-driven-interceptor)|scopedModelDriven|If the Action implements ScopedModelDriven, the interceptor retrieves and stores the model from a scope and sets it on the action calling setModel.| -|[Servlet Config Interceptor](servlet-config-interceptor)|servletConfig|Provide access to Maps representing HttpServletRequest and HttpServletResponse.| -|[Static Parameters Interceptor](static-parameters-interceptor)|staticParams|Sets the struts.xml defined parameters onto the action. These are the <param> tags that are direct children of the <action> tag.| -|[Timer Interceptor](timer-interceptor)|timer|Outputs how long the Action takes to execute (including nested Interceptors and View)| -|[Token Interceptor](token-interceptor)|token|Checks for valid token presence in Action, prevents duplicate form submission.| -|[Token Session Interceptor](token-session-interceptor)|tokenSession|Same as Token Interceptor, but stores the submitted data in session when handed an invalid token| -|[Validation Interceptor](validation-interceptor)|validation|Performs validation using the validators defined in _action_ -validation.xml| +| Interceptor | Name | Description | +|------------------------------------------------------------------------------------|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Alias Interceptor](alias-interceptor) | alias | Converts similar parameters that may be named differently between requests. | +| [Annotation Parameter Filter Interceptor](annotation-parameter-filter-interceptor) | annotationParameterFilter | Annotation based version of [Parameter Filter Interceptor](parameter-filter-interceptor). | +| [Annotation Workflow Interceptor](annotation-workflow-interceptor) | annotationWorkflow | Invokes any annotated methods on the action. | +| [Chaining Interceptor](chaining-interceptor) | chain | Makes the previous Action's properties available to the current Action. Commonly used together with <result type="chain"> (in the previous Action). | +| [Checckbox Interceptor](checkbox-interceptor) | checkbox | Adds automatic checkbox handling code that detect an unchecked checkbox and add it as a parameter with a default (usually 'false') value. Uses a specially named hidden field to detect unsubmitted checkboxes. The default unchecked value is overridable for non-boolean value'd checkboxes. | +| [COEP Interceptor](coep-interceptor) | coep | Implements the Cross-Origin Embedder Policy on incoming requests used to protect a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. | +| [Conversion Error Interceptor](conversion-error-interceptor) | conversionError | Adds conversion errors from the ActionContext to the Action's field errors | +| [Cookie Interceptor](cookie-interceptor) | cookie | Inject cookie with a certain configurable name / value into action. (Since 2.0.7.) | +| [Cookie Provider Interceptor](cookie-provider-interceptor) | cookieProvider | Transfer cookies from action to response (Since 2.3.15.) | +| [COOP Interceptor](coop-interceptor) | coop | Implements the Cross-Origin Opener Policy on incoming requests used to isolate resources against side-channel attacks and information leaks. | +| [Create Session Interceptor](create-session-interceptor) | createSession | Create an HttpSession automatically, useful with certain Interceptors that require a HttpSession to work properly (like the TokenInterceptor) | +| [Clear Session Interceptor](clear-session-interceptor) | clearSession | This interceptor clears the HttpSession. | +| [Content Security Policy Interceptor](csp-interceptor) | csp | Adds support for Content Security policy. | +| [Debugging Interceptor](debugging-interceptor) | debugging | Provides several different debugging screens to provide insight into the data behind the page. | +| [Default Workflow Interceptor](default-workflow-interceptor) | workflow | Calls the validate method in your Action class. If Action errors are created then it returns the INPUT view. | +| [Exception Interceptor](exception-interceptor) | exception | Maps exceptions to a result. | +| [Execute and Wait Interceptor](execute-and-wait-interceptor) | execAndWait | Executes the Action in the background and then sends the user off to an intermediate waiting page. | +| [Fetch Metadata Interceptor](fetch-metadata-interceptor) | fetchMetadata | Implements the Resource Isolation Policies on incoming requests used to protect against CSRF, XSSI, and cross-origin information leaks. | +| [File Upload Interceptor](file-upload-interceptor) | fileUpload | An Interceptor that adds easy access to file upload support. | +| [I18n Interceptor](i18n-interceptor) | i18n | Remembers the locale selected for a user's session. | +| [Logging Interceptor](logging-interceptor) | logger | Outputs the name of the Action. | +| [Message Store Interceptor](message-store-interceptor) | store | Store and retrieve action messages / errors / field errors for action that implements ValidationAware interface into session. | +| [Model Driven Interceptor](model-driven-interceptor.htm) | modelDriven | If the Action implements ModelDriven, pushes the getModel Result onto the Value Stack. | +| [Multiselect Interceptor](multiselect-interceptor) | multiselect | Like the checkbox interceptor detects that no value was selected for a field with multiple values (like a select) and adds an empty parameter | +| [NoOp Interceptor](no-op-interceptor) | noop | Does nothing, just passes invocation further, used in empty stack | +| [Parameter Filter Interceptor](parameter-filter-interceptor) | parameterFilter | Removes parameters from the list of those available to Actions | +| [Parameters Interceptor](parameters-interceptor) | params | Sets the request parameters onto the Action. | +| [Parameter Remover Interceptor](parameter-remover-interceptor) | paramRemover | Removes a parameter from parameters map. | +| [Prepare Interceptor](prepare-interceptor) | prepare | If the Action implements Preparable, calls its prepare method. | +| [Roles Interceptor](roles-interceptor) | roles | Action will only be executed if the user has the correct JAAS role. | +| [Scope Interceptor](scope-interceptor) | scope | Simple mechanism for storing Action state in the session or application scope. | +| [Scoped Model Driven Interceptor](scoped-model-driven-interceptor) | scopedModelDriven | If the Action implements ScopedModelDriven, the interceptor retrieves and stores the model from a scope and sets it on the action calling setModel. | +| [Servlet Config Interceptor](servlet-config-interceptor) | servletConfig | Provide access to Maps representing HttpServletRequest and HttpServletResponse. | +| [Static Parameters Interceptor](static-parameters-interceptor) | staticParams | Sets the struts.xml defined parameters onto the action. These are the <param> tags that are direct children of the <action> tag. | +| [Timer Interceptor](timer-interceptor) | timer | Outputs how long the Action takes to execute (including nested Interceptors and View) | +| [Token Interceptor](token-interceptor) | token | Checks for valid token presence in Action, prevents duplicate form submission. | +| [Token Session Interceptor](token-session-interceptor) | tokenSession | Same as Token Interceptor, but stores the submitted data in session when handed an invalid token | +| [Validation Interceptor](validation-interceptor) | validation | Performs validation using the validators defined in _action_ -validation.xml | Since 2.0.7, Interceptors and Results with hyphenated names were converted to camelCase. (The former model-driven is now modelDriven.) The original hyphenated names are retained as "aliases" until Struts 2.1.0. For clarity,
