śr., 9 lip 2025 o 20:03 Ute Kaiser <ut...@web.de.invalid> napisał(a): > > Hi, > I want to add > frame-ancestors 'self' > to the HTTP-Headers provided by Struts7 (using enforce-mode) > > Unfortunately I do not understand > https://struts.apache.org/core-developers/csp-interceptor > > Neither do I want to replace DefaultCspSettings.class (losing any struts > enhancements in future struts versions) in the first place > nor did I see how to use CspSettingsAware. > > I looked into CspInterceptorTest.java: > public CspSettings getCspSettings() { > DefaultCspSettings settings = new DefaultCspSettings(); > settings.setReportUri(reportUri); > return settings; > } > but that did not help to add an entry to the policy. > > Please give me a hint. If necessary, I would try > >> > cspSettingsClassName (default to DefaultCspSettings.class) - a full class > name implementing CspSettings interface to allow to define a custom CPS > settings. > << > but not quite sure if this means to copy or extend the default class, and not > sure how to change my class and how to configure struts.xml.
If this should be a global change it's better to implement your own CspSettings by either extending DefaultCspSettings or implementing it from scratch. Then you you can provide the new class via cspSettingsClassName parameter. > Mail not sent while work in progress: > > I extended the default class by overriding createPolicyFormat and managed to > get it to work with this struts.xml (took me quite a while): > <interceptor-ref name="defaultStack"> > <param name="csp.enforcingMode">true</param> > <param > name="csp.cspSettingsClassName">my.FullyQualifiedCspSettingsClass</param> > </interceptor-ref> > > These are the warnings in firefox developer tools: > Content-Security-Policy: Ignorieren von "http:" innerhalb script-src: > 'strict-dynamic' angegeben (my translation: "http:" within script-src > ignored: 'strict-dynamic' specified.) > Is the struts default CSP policy inconsistent? > > Please tell me if I am on the right path, if there is better best practice, > and please could you extend the documentation? > I am not lucky wih overriding createPolicyFormat. You must override the interceptor's parameters like this (I assume in your case Method 3 is the way to go) https://struts.apache.org/core-developers/interceptors#interceptor-parameter-overriding If you have other requirements let me know and I try to address them in the next Struts 7 version. Cheers Łukasz --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
