Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CSP

Magnus Tamm
Magnus Tamm December 16, 2019

Hey.

Can I modify CSP to use noonce to restrict using inline scripts? Or what are the possibilities to solve my problem?

Best wishes,

Magnus

Answer
Watch
Like Be the first to like this
992 views

1 answer

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 16, 2019

You will need to explain what you mean by "CSP" and what it has to do with Atlassian software.

View More Comments
Magnus Tamm
Magnus Tamm December 16, 2019

Oh yes. Sorry for my poor explanation. 

I'm talking about security headers. Right now csp is set as: Content-Security-Policy: frame-ancestors 'self'

But it allows to run inline scripts in jira. So you can run HTML <script> elements or on-event handlers to run XSS type attacks. 

So the resulution is to calculate every script hash or use nonce. But can I change these settings in jira? Can i set csp to nonce and if yes then how and where?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.