Generating `nonce` for generated scripts

struts-community-plugins / struts2-jquery

Struts2 jQuery Plugin

Apache License 2.0

83 stars 51 forks source link

Generating `nonce` for generated scripts #582

Open afattahi54 opened 1 day ago

afattahi54 commented 1 day ago

We are trying to set the Content-Security-Policy to script-src 'self' in our web based application., but we face issues. As the jquery-plugin library dynamically generates inline scripts, it is not possible to add this header.

As I find this can be handled by adding nonce to <script>. https://content-security-policy.com/nonce/

Is it possible that we configure struts jQuery tags to generate nonce

lukaszlenart commented 1 day ago

<s:script/> should do it already, how do you use the plugin? The plugin has been already adjusted, see #318

afattahi54 commented 1 day ago

I see tags generates scripts like below (without nonce):

<script type="text/javascript">
jQuery(document).ready(function () {
    var options_anchor_991965924 = {};
    options_anchor_991965924.jqueryaction = "anchor";
    options_anchor_991965924.id = "anchor_991965924";
    options_anchor_991965924.targets = "helpPlaceHolder";
    options_anchor_991965924.href = "/guidance/contact-us.ib";
    options_anchor_991965924.listentopics = "contact-us";

jQuery.struts2_jquery.bind(jQuery('#anchor_991965924'),options_anchor_991965924);

 });
</script>

I am using version 5.0.6