Adding documentation for Fetch Metadata, Cross-Origin Opener Poliy & Cross-Origin Embedder Policy #149
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Adding documentation for FM and COOP/COEP (#1) * Fetch Metadata docs * Added explanations of FM and COOP/COEP * Add docs for COOP and COEP * Update source/security/index.md Co-authored-by: Sal <salchoman@gmail.com> * Update source/security/index.md Co-authored-by: Sal <salchoman@gmail.com> * Removed extra white space * Update source/core-developers/fetch-metadata-interceptor.md Co-authored-by: Sal <salchoman@gmail.com> * Update source/core-developers/fetch-metadata-interceptor.md Co-authored-by: Sal <salchoman@gmail.com> * Update source/core-developers/fetch-metadata-interceptor.md Co-authored-by: Sal <salchoman@gmail.com> * Update source/core-developers/fetch-metadata-interceptor.md Co-authored-by: Sal <salchoman@gmail.com> * Fixes based on PR comments Co-authored-by: Giannis Chatziveroglou <gchatz@mit.edu> Co-authored-by: Sal <salchoman@gmail.com> * Fixes in interceptors table and individual interceptors files * Update source/core-developers/coep-interceptor.md Co-authored-by: Sal <salchoman@gmail.com> * Update source/core-developers/coep-interceptor.md Co-authored-by: Sal <salchoman@gmail.com> Co-authored-by: Giannis Chatziveroglou <gchatz@mit.edu> Co-authored-by: Sal <salchoman@gmail.com>
yasserzamani
requested changes
Aug 28, 2020
| ## Examples | ||
|
|
||
| ```xml | ||
| <interceptor name="coep" class="org.apache.struts2.interceptor.CoepInterceptor"/> |
There was a problem hiding this comment.
As you've already defined and added it to struts-default.xml.defaultStack at here , this duplicate definition is not needed as far as I can remember but please wait if @apache/struts-committers acknowledge as well.
| <interceptor name="coep" class="org.apache.struts2.interceptor.CoepInterceptor"/> | ||
|
|
||
| <action name="someAction" class="com.examples.SomeAction"> | ||
| <interceptor-ref name="defaultStack"> |
There was a problem hiding this comment.
Same here. I think it should be something like:
<action name="someAction" class="com.examples.SomeAction">
<interceptor-ref name="defaultStack">
<param name="coepInterceptor.exemptedPaths">...
.
.
.
</interceptor-ref>|
|
||
| <action name="someAction" class="com.examples.SomeAction"> | ||
| <interceptor-ref name="defaultStack"> | ||
| <interceptor-ref name="coop"> |
|
|
||
| <action name="someAction" class="com.examples.SomeAction"> | ||
| <interceptor-ref name="defaultStack"> | ||
| <interceptor-ref name="fetchMetadata"> |
|
Thank you for your comments @yasserzamani ! Applied your changes and as said will also be waiting for @apache/struts-committers opinion |
yasserzamani
approved these changes
Aug 29, 2020
|
LGTM 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Struts devs!
We're really proud to have contributed to Struts by adding Fetch Metadata (apache/struts#426) and COOP/COEP support (apache/struts#432) in the past few months while CSP is still being reviewed (apache/struts#430). This PR updates documentation to reflect the new interceptors (not CSP!), their parameters, usage and brief explanations of what these security mitigations are and how they work.
We hope this will motivate Struts developers to enable brand new security mitigations on their way forward :)