New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy - Java Servlet Filter #332
Comments
My preference is to put this and things like it under a separate 'contrib' area. Any suggestions where we should put something like that? For comparison, see https://code.google.com/p/owasp-esapi-java/source/browse/contrib. I would also like to migrate those pieces to GitHub as well but need some advice from you git / GitHub gurus. |
Note that one major reason that I don't want to pull this in with the main ESAPI/esapi-java-legacy stuff is because it adds more dependencies (e.g., Hamcrest) that are not used elsewhere and ESAPI already has way too many dependencies. So IMO, that's why we need a separate 'contrib' project. |
My 2c: Hamcrest has also been a dependency on almost every application I've worked on since 2013. I don't necessarily think that's a deal-breaker. |
And Filters are opt-in by default. I don't have a problem with bringing in filters within the main project. |
Maybe not; but throughout close to 125 or so secure code reviews, I only
recall seeing it being used once!
…-kevin
On Mon, Jul 24, 2017 at 9:28 PM, Matt Seil ***@***.***> wrote:
My 2c: Hamcrest has also been a dependency on almost every application
I've worked on since 2013. I don't necessarily think that's a deal-breaker.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#332 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nm8fV16O5WQ0GqVY3x_pqbHtHB5bvks5sRUS4gaJpZM4C6zFT>
.
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
|
ESAPI already has several JavaEE filters:
./src/main/java/org/owasp/esapi/filters/ESAPIFilter.java
./src/main/java/org/owasp/esapi/filters/ClickjackFilter.java
./src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java
./src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
so it's not that, that I object to. However, hamcrest adds another
compile-time dependency (maybe more, if it has additional transitive
dependencies that we are not already using) and it gets to be difficult to
explain to people which runtime dependencies they need so they have a
tendency to just use them all.
…-kevin
On Mon, Jul 24, 2017 at 9:29 PM, Matt Seil ***@***.***> wrote:
And Filters are opt-in by default. I don't have a problem with bringing in
filters within the main project.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#332 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nm2auxq3HMAY_-5Cu_PvmSq__iRWHks5sRUT-gaJpZM4C6zFT>
.
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
|
This also uses SLF4J for logging, so until ESAPI gets support for SLF4J (see issue #129), I think this will have to wait. I still think 'contrib' is the better spot for this though, especially since this project doesn't seem to be active (last commit in Nov 2014). |
I'm unassigning this from myself, since it doesn't make sense for me to take things marked "good first issue". Besides I already have enough other issues to work on and keep me busy. |
From ronald.p...@googlemail.com on May 14, 2014 12:42:51
Hi,
I wrote a Java Servlet Filter for Content Security Policy 1.0 ( http://www.w3.org/TR/CSP/ ) which can be found on github: https://github.com/ronaldploeger/ContentSecurityPolicyFilter I would like to offer this for inclusion into ESAPI.
Best regards,
Ronald
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=328
The text was updated successfully, but these errors were encountered: