[
https://issues.apache.org/jira/browse/WW-5504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17909854#comment-17909854
]
Lukasz Lenart edited comment on WW-5504 at 1/5/25 9:24 AM:
-----------------------------------------------------------
It would require to have it behind an option to support backward compatibility,
eg. {{struts.csp.nonce.useRequestAttribute=true}}
was (Author: lukaszlenart):
It would require to have if behind an option to support backward compatibility,
eg. {{struts.csp.nonce.useRequestAttribute=true}}
> CSP Nonce changes within a page
> -------------------------------
>
> Key: WW-5504
> URL: https://issues.apache.org/jira/browse/WW-5504
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 6.7.0
> Reporter: Andreas Sachs
> Priority: Major
> Fix For: 6.7.1
>
>
> Sometimes the CSP nonce changes within a page.
>
> <script type="text/javascript" src="..." nonce="A"> </script>
> <script type="text/javascript" src="..." nonce="A"> </script>
> ...
> <script type="text/javascript" src="..." nonce="B"> </script>
>
> This happens if there are concurrent requests within the same session.
>
> Each request stores a new nonce in the session:
>
> DefaultCspSettings:
> request.getSession().setAttribute("nonce", nonceValue);
>
> If the first request is not finished, the second request will change the
> nonce of the first request.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
