WW-5504 Allows to use request instead of session attribute to store nonce

[lukaszlenart]

WW-5504

[assachs]

I'm not sure if i missed something.

In DefaultCSPSettings, when creating the poplicy format, the nonce is always taken from the session

` return format(policyFormatBuilder.toString(), getNonceString(request));
}

protected String getNonceString(HttpServletRequest request) {
    Object nonce = **request.getSession().getAttribute(NONCE_KEY);**
    return Objects.toString(nonce);
}`

[lukaszlenart]

Thanks, fixed! Yet I'm not sure if this is a proper way to do it

[sonarqubecloud]

Quality Gate failed

Failed conditions
22 Security Hotspots
42.3% Coverage on New Code (required ≥ 80%)
3.4% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE