-
-
Notifications
You must be signed in to change notification settings - Fork 734
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move Javascript to external files #782
Comments
Hi @okohll @fhuschle and others, |
Hi, I'm afraid we no longer use Javamelody as a lot of the stats were duplicated by another monitoring system which centralises Tomcat JMX, database, server and other sources. However Javamelody is a great tool and we may go back to using it for additional purposes (e.g. the method call monitoring) at a later date. To answer the question, I can't see a problem with nonces, especially if the Javamelody app can set or append to the required HTTP headers. However if it requires integration with the server/app being monitored to set the correct headers, that sounds like it could be more complicated for the user. We use a Valve for the Tomcat server to 'hard-code' the set of CSP headers we use, there's no interaction with the app. |
Can I suggest moving embedded Javascript into external .js files? We have started using a Content Security Policy that disallows embedding JS with <script> tags as well as inline event handlers such as onmouseout.
Similarly inline styles are disallowed, however broken JS has the greatest impact.
I imagine use of CSPs like this is going to get more prevalent as time goes on.
The text was updated successfully, but these errors were encountered: