Move Javascript to external files

[okohll]

Can I suggest moving embedded Javascript into external .js files? We have started using a Content Security Policy that disallows embedding JS with <script> tags as well as inline event handlers such as onmouseout.

Similarly inline styles are disallowed, however broken JS has the greatest impact.

I imagine use of CSPs like this is going to get more prevalent as time goes on.

[evernat]

Hi @okohll @fhuschle and others,
Would you be ok if javamelody html pages use a nonce for inline javascripts, instead of externalizing every bits of javascripts ?
The nonce would need to be generated for each page and set in the Content-Security-Policy header and set in the http requests attributes, by javamelody or else by the application. See https://csp.withgoogle.com/docs/adopting-csp.html for example.

[okohll]

Hi, I'm afraid we no longer use Javamelody as a lot of the stats were duplicated by another monitoring system which centralises Tomcat JMX, database, server and other sources. However Javamelody is a great tool and we may go back to using it for additional purposes (e.g. the method call monitoring) at a later date.

To answer the question, I can't see a problem with nonces, especially if the Javamelody app can set or append to the required HTTP headers. However if it requires integration with the server/app being monitored to set the correct headers, that sounds like it could be more complicated for the user. We use a Valve for the Tomcat server to 'hard-code' the set of CSP headers we use, there's no interaction with the app.