Version 6 of Struts introduced the Content Security Policy interceptor which is in the default stack. It has a nonce-based attribute which allows putting scripts and links via the Struts <s:script> and <s:link> tag, which is quite nice.
However, I do want to be able to set the base-uri value to the standard one for my site. I do not see an easy way to do this. There is a CSPSettings class which allows setting things on a per-action basis -- I'd prefer global -- but even there, it doesn't seem to do what I want. You can change from report-only to enforced, and change where reports are sent -- and that seems to be it.
Anyone know how to do this?