[
https://issues.apache.org/jira/browse/WW-5504?focusedWorklogId=982151&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-982151
]
ASF GitHub Bot logged work on WW-5504:
--------------------------------------
Author: ASF GitHub Bot
Created on: 07/Sep/25 08:00
Start Date: 07/Sep/25 08:00
Worklog Time Spent: 10m
Work Description: sonarqubecloud[bot] commented on PR #1174:
URL: https://github.com/apache/struts/pull/1174#issuecomment-3263571505
Please retry analysis of this Pull-Request directly on SonarQube Cloud
Issue Time Tracking
-------------------
Worklog Id: (was: 982151)
Time Spent: 1h 40m (was: 1.5h)
> CSP Nonce changes within a page
> -------------------------------
>
> Key: WW-5504
> URL: https://issues.apache.org/jira/browse/WW-5504
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 6.7.0
> Reporter: Andreas Sachs
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 6.8.0, 7.1.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Sometimes the CSP nonce changes within a page.
>
> <script type="text/javascript" src="..." nonce="A"> </script>
> <script type="text/javascript" src="..." nonce="A"> </script>
> ...
> <script type="text/javascript" src="..." nonce="B"> </script>
>
> This happens if there are concurrent requests within the same session.
>
> Each request stores a new nonce in the session:
>
> DefaultCspSettings:
> request.getSession().setAttribute("nonce", nonceValue);
>
> If the first request is not finished, the second request will change the
> nonce of the first request.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
