śr., 12 cze 2024 o 13:14 Nordmeyer, William, E (Serco NA) <william.nordme...@serco-na.com.invalid> napisał(a): > Other things we're seeing in developer tools that aren't in the attached logs: > > Content Security Policy blooks inline execution of scripts and stylesheets > The Content Security Policy prevents cross-site scripting attacks by > blocking inline execution of scripts and style sheets. > To solve this move all inline scripts (eg onclick=[35 code]) and styles into > external files. > > Adding unsafe-inline as a source to the CSP header > Adding the hash or nonce of the inline to your CSP header
These are just warnings in report mode, CSP doesn't enforce blocking such content, yet it would be good to address these warnings by using <s:script/> or <s:link/> Also stop using eval() in JavaScript, replace with Function -> https://github.com/struts-community-plugins/struts2-jquery/pull/430 Cheers Lukasz --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
