[jira] [Created] (WW-5504) CSP Nonce changes within a page

Andreas Sachs (Jira) Tue, 24 Dec 2024 03:12:05 -0800

Andreas Sachs created WW-5504:
---------------------------------

             Summary: CSP Nonce changes within a page
                 Key: WW-5504
                 URL: https://issues.apache.org/jira/browse/WW-5504
             Project: Struts 2
          Issue Type: Bug
          Components: Core Interceptors
    Affects Versions: 6.7.0
            Reporter: Andreas Sachs



Sometimes the CSP nonce changes within a page.

 

<script type="text/javascript" src="..." nonce="A"> </script>
<script type="text/javascript" src="..." nonce="A"> </script>
...
<script type="text/javascript" src="..." nonce="B"> </script>

 

This happens if there are concurrent requests within the same session.

 

Each request stores a new nonce in the session:

 
DefaultCspSettings:
request.getSession().setAttribute("nonce", nonceValue);
 
If the first request is not finished, the second request will change the nonce 
of the first request.
 

 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (WW-5504) CSP Nonce changes within a page

Reply via email to