You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Thomas Andraschko (JIRA)" <de...@myfaces.apache.org> on 2019/01/28 10:42:00 UTC

[jira] [Created] (MYFACES-4280) CSP: nonce attribute on script tags will be ignored on ajax updates

Thomas Andraschko created MYFACES-4280:
------------------------------------------

             Summary: CSP: nonce attribute on script tags will be ignored on ajax updates
                 Key: MYFACES-4280
                 URL: https://issues.apache.org/jira/browse/MYFACES-4280
             Project: MyFaces Core
          Issue Type: New Feature
            Reporter: Thomas Andraschko
            Assignee: Werner Punz


simple CSP case:

- add a static nonce via phaselistener/servlerfilter in the headers
- add the the static nonce to a script tag

this works fine for a GET request or non-ajax POST but our ajax engine just ignores the nonce attribute on scripts and following error occurs in the browser:

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").


There will probably other tickets in the future but thats the first basic case which must be supported



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)