Avoid tying CSP {nonce} placeholder to specific stacks

ziqin · ziqin · commit f666e444f8a2 · 2026-04-03T20:17:34.000+08:00
Signed-off-by: Ziqin Wang &lt;ziqin@wangziqin.net&gt;
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/ContentSecurityPolicyHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/ContentSecurityPolicyHeaderWriter.java
@@ -120,7 +120,7 @@ public final class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 
 	private static final String DEFAULT_SRC_SELF_POLICY = "default-src 'self'";
 
-	public static final String NONCE_PLACEHOLDER = "{nonce}";
+	private static final String NONCE_PLACEHOLDER = "{nonce}";
 
 	private String policyDirectives;
 
diff --git a/web/src/main/java/org/springframework/security/web/server/header/ContentSecurityPolicyServerHttpHeadersWriter.java b/web/src/main/java/org/springframework/security/web/server/header/ContentSecurityPolicyServerHttpHeadersWriter.java
@@ -61,7 +61,7 @@ public final class ContentSecurityPolicyServerHttpHeadersWriter implements Serve
 
 	public static final String CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only";
 
-	public static final String NONCE_PLACEHOLDER = "{nonce}";
+	private static final String NONCE_PLACEHOLDER = "{nonce}";
 
 	private @Nullable String policyDirectives;
 
