[
https://issues.apache.org/jira/browse/WW-5504?focusedWorklogId=950946&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-950946
]
ASF GitHub Bot logged work on WW-5504:
--------------------------------------
Author: ASF GitHub Bot
Created on: 05/Jan/25 13:28
Start Date: 05/Jan/25 13:28
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #1174:
URL: https://github.com/apache/struts/pull/1174
WW-5504
Issue Time Tracking
-------------------
Worklog Id: (was: 950946)
Remaining Estimate: 0h
Time Spent: 10m
> CSP Nonce changes within a page
> -------------------------------
>
> Key: WW-5504
> URL: https://issues.apache.org/jira/browse/WW-5504
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 6.7.0
> Reporter: Andreas Sachs
> Priority: Major
> Fix For: 6.8.0, 7.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Sometimes the CSP nonce changes within a page.
>
> <script type="text/javascript" src="..." nonce="A"> </script>
> <script type="text/javascript" src="..." nonce="A"> </script>
> ...
> <script type="text/javascript" src="..." nonce="B"> </script>
>
> This happens if there are concurrent requests within the same session.
>
> Each request stores a new nonce in the session:
>
> DefaultCspSettings:
> request.getSession().setAttribute("nonce", nonceValue);
>
> If the first request is not finished, the second request will change the
> nonce of the first request.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
