Issue Summary

When a script-src Content-Security-Policy is defined, Jira does not work unless the source unsafe-inline is provided.

Implementing a script-src CSP can be considered important, as it minimises the risk of XSS attacks by blocking script execution via inline <script> blocks and attributes like onclick, onerror, and so forth.

There are a number of inline script blocks present in Jira's front-end markup, and thus, to implement a script-src CSP that does not break these inline scripts, one would need to use unsafe-inline within the CSP, which permits Javascript execution within the page markup.

Further reading: https://csper.io/blog/no-more-unsafe-inline

Possible solutions

• Dynamically generate the CSP and nonce values on the fly for inline scripts
• Relocate inline scripts to JavaScript files, which would then pass the CSP