Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CSP

Magnus Tamm
Magnus Tamm December 16, 2019

Hey.

Can I modify CSP to use noonce to restrict using inline scripts? Or what are the possibilities to solve my problem?

Best wishes,

Magnus

Answer
Watch
Like Be the first to like this
623 views

1 answer

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 16, 2019

You will need to explain what you mean by "CSP" and what it has to do with Atlassian software.

View More Comments
Magnus Tamm
Magnus Tamm December 16, 2019

Oh yes. Sorry for my poor explanation. 

I'm talking about security headers. Right now csp is set as: Content-Security-Policy: frame-ancestors 'self'

But it allows to run inline scripts in jira. So you can run HTML <script> elements or on-event handlers to run XSS type attacks. 

So the resulution is to calculate every script hash or use nonce. But can I change these settings in jira? Can i set csp to nonce and if yes then how and where?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events