This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch csp-policy
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit b6892ee48d68d340551c1484acd4d87df00d3705
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Wed Jan 11 08:26:14 2023 +0100
Cleans up information about how to use CSP related interceptors
---
source/core-developers/coep-interceptor.md | 27 +++++++++++++---------
source/core-developers/coop-interceptor.md | 24 ++++++++++---------
source/core-developers/csp-interceptor.md | 4 +---
.../core-developers/fetch-metadata-interceptor.md | 21 +++++++++++------
4 files changed, 44 insertions(+), 32 deletions(-)
diff --git a/source/core-developers/coep-interceptor.md
b/source/core-developers/coep-interceptor.md
index 55e6d2dc9..00606ac15 100644
--- a/source/core-developers/coep-interceptor.md
+++ b/source/core-developers/coep-interceptor.md
@@ -6,24 +6,29 @@ parent:
url: interceptors.html
---
-# Fetch Metadata Interceptor
+# Cross-Origin Embedder Policy Interceptor
## Description
Interceptor that implements Cross-Origin Embedder Policy on incoming requests.
-COEP prevents the document from loading any framed documents which don't
opt-in by setting the COEP header. (`Cross-Origin-Embedder-Policy:
require-corp`). This provides protection for documents that don't restrict
framing. A document that doesn't set COEP cannot be framed by another document
with COEP. All descendents of a document with COEP will also enforce the same
restrictions.
+COEP prevents the document from loading any framed documents which don't
opt-in by setting the COEP header:
-COEP is now supported by all major browsers.
+```
+Cross-Origin-Embedder-Policy: require-corp
+```
+This provides protection for documents that don't restrict framing. A document
that doesn't set COEP cannot be framed
+by another document with COEP. All descendents of a document with COEP will
also enforce the same restrictions.
-
-[More information about COEP](https://web.dev/why-coop-coep/#coep).
+COEP is now supported by all major browsers. [More information about
COEP](https://web.dev/why-coop-coep/#coep).
## Parameters
-- `exemptedPaths` - Set of opt out endpoints that are meant to serve
cross-site traffic. Paths should contain leading slashes and must be relative.
This field is empty by default.
-- `enforcingMode` - Boolean variable allowing the user to let COEP operate in
`enforcing`, which blocks both resource and reports violations, or
`report-only` mode, which only reports violations. Default value for field is
`false`.
+- `exemptedPaths` - Set of opt out endpoints that are meant to serve
cross-site traffic. Paths should contain leading
+ slashes and must be relative. This field is empty by default.
+- `enforcingMode` - Boolean variable allowing the user to let COEP operate in
`enforcing`, which blocks both resource
+ and reports violations, or `report-only` mode, which only reports
violations. Default value for field is `false`.
- `disabled` - Boolean variable disabling and enabling COEP. Default value for
field is `false`.
## Examples
@@ -31,10 +36,10 @@ COEP is now supported by all major browsers.
```xml
<action name="someAction" class="com.examples.SomeAction">
<interceptor-ref name="defaultStack">
- <param
name="coepInterceptor.exemptedPaths">/path1,/path2,/path3</param>
- <param name="coepInterceptor.enforcingMode">false</param>
- <param name="coepInterceptor.disabled">false</param>
+ <param name="coep.exemptedPaths">/path1,/path2,/path3</param>
+ <param name="coep.enforcingMode">false</param>
+ <param name="coep.disabled">false</param>
</interceptor-ref>
<result name="success">good_result.ftl</result>
</action>
-```
\ No newline at end of file
+```
diff --git a/source/core-developers/coop-interceptor.md
b/source/core-developers/coop-interceptor.md
index 24a4af44b..212621fae 100644
--- a/source/core-developers/coop-interceptor.md
+++ b/source/core-developers/coop-interceptor.md
@@ -10,7 +10,7 @@ parent:
## Description
-Interceptor that implements Cross-Origin Opener Policy on incoming requests.
+Interceptor that implements _Cross-Origin Opener Policy_ on incoming requests.
COOP is a security mitigation that lets developers isolate their resources
against side-channel attacks and information
leaks. The COOP response header allows a document to request a new browsing
context group to better isolate itself
@@ -22,15 +22,17 @@ are possible when a document shares a browsing context
group and possibly an ope
- Process-wide attacks. Side channel and transient execution attacks like
Spectre may provide an opportunity
to the malicious document to get access to sensitive data from the victim
document, if they share an OS process.
-The COOP header can have one of 3 values: `same-origin`,
`same-origin-allow-popups`, `unsafe-none`. If the COOP values
-are the same, and the origins of the documents match the relationship declared
in the COOP header value, documents can
-interact with each other. Otherwise, if at least one of the documents sets
COOP, the browser will create a new browsing
-context group severing the link between the documents. Sites can use
`same-origin-allow-popups` to allow popups they open
-to be in their browsing context group (unless the popup's own COOP prevents
this).
+The COOP header can have one of 3 values:
+- `same-origin`
+- `same-origin-allow-popups`
+- `unsafe-none`
+
+If the COOP values are the same, and the origins of the documents match the
relationship declared in the COOP header
+value, documents can interact with each other. Otherwise, if at least one of
the documents sets COOP, the browser
+will create a new browsing context group severing the link between the
documents. Sites can use `same-origin-allow-popups`
+to allow popups they open to be in their browsing context group (unless the
popup's own COOP prevents this).
-COOP is now supported by all major browsers.
-
-[More information about COOP](https://web.dev/why-coop-coep/#coop).
+COOP is now supported by all major browsers. [More information about
COOP](https://web.dev/why-coop-coep/#coop).
## Parameters
@@ -44,8 +46,8 @@ COOP is now supported by all major browsers.
```xml
<action name="someAction" class="com.examples.SomeAction">
<interceptor-ref name="defaultStack">
- <param
name="coopInterceptor.exemptedPaths">/path1,/path2,/path3</param>
- <param name="coopInterceptor.mode">same-origin</param>
+ <param name="coop.exemptedPaths">/path1,/path2,/path3</param>
+ <param name="coop.mode">same-origin</param>
</interceptor-ref>
<result name="success">good_result.ftl</result>
</action>
diff --git a/source/core-developers/csp-interceptor.md
b/source/core-developers/csp-interceptor.md
index 82ed7e631..b29584d4b 100644
--- a/source/core-developers/csp-interceptor.md
+++ b/source/core-developers/csp-interceptor.md
@@ -19,9 +19,7 @@ to site defacement, to malware distribution.
CSP can work in two modes, either **enforce** or **report**. In the report
mode the `Content-Security-Policy-Report-Only`
header is sent and `Content-Security-Policy` header is used when using the
enforce mode.
-CSP is now supported by all major browsers.
-
-[More information about
CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
+CSP is now supported by all major browsers. [More information about
CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
## Parameters
diff --git a/source/core-developers/fetch-metadata-interceptor.md
b/source/core-developers/fetch-metadata-interceptor.md
index 2ea61c90c..e55013a3e 100644
--- a/source/core-developers/fetch-metadata-interceptor.md
+++ b/source/core-developers/fetch-metadata-interceptor.md
@@ -10,22 +10,29 @@ parent:
## Description
-An interceptor that implements Fetch Metadata on incoming requests used to
protect against CSRF, XSSI, and cross-origin information leaks. Uses a default
Resource Isolation Policy to programmatically reject cross-origin requests.
+An interceptor that implements Fetch Metadata on incoming requests used to
protect against CSRF, XSSI, and cross-origin
+information leaks. Uses a default Resource Isolation Policy to
programmatically reject cross-origin requests.
-A Resource Isolation Policy is a strong defense in-depth mechanism that
prevents the resources on a server from being requested by external websites.
This policy can be enabled either for all endpoints of the application and
endpoints that are meant to be loaded in a cross-site context can be exempted
from the policy.
+A Resource Isolation Policy is a strong defense in-depth mechanism that
prevents the resources on a server from being
+requested by external websites. This policy can be enabled either for all
endpoints of the application and endpoints
+that are meant to be loaded in a cross-site context can be exempted from the
policy.
-The browser provides information about the context of an HTTP request in a set
of `Sec-Fetch-*` headers. This allows the server processing the request to make
decisions on whether the request should be accepted or rejected based on the
preferred resource isolation policy. Struts provides a default Resource
Isolation Policy that rejects cross-origin requests that aren't top level
navigations.
+The browser provides information about the context of an HTTP request in a set
of `Sec-Fetch-*` headers. This allows
+the server processing the request to make decisions on whether the request
should be accepted or rejected based
+on the preferred resource isolation policy. Struts provides a default
_Resource Isolation Policy_ that rejects
+_cross-origin_ requests that aren't top level navigations.
```
Sec-Fetch-Site == 'cross-site' AND (Sec-Fetch-Mode !=
'navigate'/'nested-navigate' OR method NOT IN [GET, HEAD])
```
-Refer to [Implementing a Resource Isolation
Policy](https://web.dev/fetch-metadata/#implementing-a-resource-isolation-policy)
for further information on implementing effective Resource Isolation Policies.
-Fetch Metadata is supported in all major browsers
+Refer to [Implementing a Resource Isolation
Policy](https://web.dev/fetch-metadata/#implementing-a-resource-isolation-policy)
+for further information on implementing effective Resource Isolation Policies.
Fetch Metadata is supported in all major browsers.
## Parameters
-- `exemptedPaths` - Set of opt out endpoints that are meant to serve
cross-site traffic. Paths should contain leading slashes and must be relative.
This field is empty by default.
+- `exemptedPaths` - Set of opt out endpoints that are meant to serve
cross-site traffic. Paths should contain leading
+ slashes and must be relative. This field is empty by default.
## Examples
@@ -36,4 +43,4 @@ Fetch Metadata is supported in all major browsers
</interceptor-ref>
<result name="success">good_result.ftl</result>
</action>
-```
\ No newline at end of file
+```
