[
https://issues.apache.org/jira/browse/WW-5504?focusedWorklogId=950953&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-950953
]
ASF GitHub Bot logged work on WW-5504:
--------------------------------------
Author: ASF GitHub Bot
Created on: 05/Jan/25 16:19
Start Date: 05/Jan/25 16:19
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on PR #1174:
URL: https://github.com/apache/struts/pull/1174#issuecomment-2571678039
Thanks, fixed! Yet I'm not sure if this is a proper way to do it
Issue Time Tracking
-------------------
Worklog Id: (was: 950953)
Time Spent: 40m (was: 0.5h)
> CSP Nonce changes within a page
> -------------------------------
>
> Key: WW-5504
> URL: https://issues.apache.org/jira/browse/WW-5504
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 6.7.0
> Reporter: Andreas Sachs
> Priority: Major
> Fix For: 6.8.0, 7.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Sometimes the CSP nonce changes within a page.
>
> <script type="text/javascript" src="..." nonce="A"> </script>
> <script type="text/javascript" src="..." nonce="A"> </script>
> ...
> <script type="text/javascript" src="..." nonce="B"> </script>
>
> This happens if there are concurrent requests within the same session.
>
> Each request stores a new nonce in the session:
>
> DefaultCspSettings:
> request.getSession().setAttribute("nonce", nonceValue);
>
> If the first request is not finished, the second request will change the
> nonce of the first request.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
