admin管理员组文章数量:1122826
I have added Nonce script in my jsp page and passing it to http.conf file. Added a line of code to print the generated nonce. If I check the generated value in view page source and nonce value in network tab, both the values are different. And in the CSP , nonce is coming as null.
Code used for nonce generation in jsp page
<%@ page import="java.security.SecureRandom, java.util.Base64" %>
<%
/* Generate a secure 128-bit nonce */
SecureRandom secureRandom = new SecureRandom();
byte[] nonceBytes = new byte[16]; // 128 bits
secureRandom.nextBytes(nonceBytes);
String nonce = Base64.getEncoder().encodeToString(nonceBytes);
/* Set the nonce as a request attribute and as a response header*/
request.setAttribute("nonce", nonce);
response.setHeader("CSP-Nonce", nonce);
%>
Added the below line in httpd.conf file
SetEnvIf CSP-Nonce "(.*)" NONCE=$1
CSP used:
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*; frame-ancestors 'self' 'domain_name1' 'domain_name2' 'domain_name3'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-%{NONCE}e'; object-src 'self' 'unsafe-inline' 'unsafe-eval';"
Can someone suggest the reason and solution
本文标签: content security policyQuery on CSP NonceStack Overflow
版权声明:本文标题:content security policy - Query on CSP Nonce - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736303171a1931792.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论