I'm migrating a struts2-core-2.5.30 project to struts2-core-6.1.1, however I was getting the following error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'nonce-YGAaDo9iR3Nd5TXLz6HiMO6v' 'strict-dynamic' http: https:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
I already placed in the of the jsp that I use the security policy for the content
<meta http-equiv=content-type" content="script-src 'unsafe-inline'; script-src-elem 'http://localhost:8080/My_App/html/js/file.js'; text/html; charset=ISO-8859-1" />
And I get the following error:
Refused to load the script 'http://localhost:8080/My_App/html/js/file.js' because it violates the following Content Security Policy directive: "script-src 'nonce-7yiWsJW8gTw1QSsMQ-u_Ph61' 'strict-dynamic' http: https:". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. What am I doing wrong?
I want to clarify that in the version of struts that I had before, this error did not appear.
Struts 6 added a CSPInterceptor that is in the default stack. I have had great difficulty finding much information about it, but using the
<s:script>or<s:link>tag injects the nonce value automatically, which is rather nice. I do wish there were better documentation.I believe it is possible to completely disable individual interceptors, or to create your own stack that does not include this one.