-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Konstantin,
On 8/16/20 15:59, Konstantin Kolinko wrote: > вс, 16 авг. 2020 г. в 21:32, Igal Sapir <i...@lucee.org>: >> >> I don't see any scripts either. Why not add a CSP and set script >> to 'none'? I can add that if no one objects. >> > > sessionsList.jsp has onclick attributes. Maybe it can be modified > to work without them, I do not know. SOP these days is to include a script that attaches itself to the appropriate elements, instead of having "onclick" attributes directly in the markup. This can be solved either by modifying the CSP for that page specifically, or by specifically allowing scripts based upon their sha256 signatures. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9CpuUACgkQHPApP6U8 pFhMiw/+JJp90wQaCDo1y0IIzzXNaNuYDIxnSa3cmcTSQLYh78vbnOr2bGaSdiS8 9rQS69jbxfkFnDofQG3HwE4YZSeMjCKRjKzIMTpnUfusE842x91XGdNgtF33rtiW gXFGJhpgCLchynYLIdl4LYfcGvsxrxuMR9gcaUP2I9/SpeYxTMzOGNuYiaV3mouv EO5t3l5Wl0FN9hhrGIAhMLG/+wY05cevY16GGZy2xWcDeIHq44Pq2rh9spBFRo2c 9HhaNvNpXlZ30ELmD5YSnxLmpH8CPgsA+5Sdj0ppZ7jpXcx+M/Ihqj+E1za9P20N WpagVdJaDtYJ0M9FZ5j+nwZoYyGh7ySobH0W3tYfygtfhRgi2l8rc0Zy9CeQPZmu 9WaP2RRz+dGXPMUUwWOKMjl7Fbux+ss66lKvHPrQe0jezVDNYcnSgd7RqlfBznEy YfoPGxasbyhbrKg7y9encIWOR476LdWQN0g8ZMVxsS3XyStvY3CxiT8NjIrYu1fi iz8Ni5zEWK1RUiRabv/JrNehrk6ivwARFtJeAwIf8sH2vVlmkQsk4ge8Xfk0BeRP O49GbiljgqyTy+l5hg0bq9OBkLXTFxLA8D+E9k5dElGzOKQH7GI3+A0GpCm9wbOL wQCQljWdRgVyLz57bonvTpxe59SNAgwva1AkF6xhM+ky0eiAlHU= =iYAX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org