You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Thomas Andraschko (Jira)" <de...@myfaces.apache.org> on 2019/09/30 16:59:01 UTC
[jira] [Commented] (MYFACES-4280) CSP: nonce attribute on script
tags will be ignored on ajax updates
[ https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941137#comment-16941137 ]
Thomas Andraschko commented on MYFACES-4280:
--------------------------------------------
behavior scripts are now passed as function to the jsf.util.chain method instead of a string.
its activated per default.
it's possible to switch to the old behavior via: org.apache.myfaces.RENDER_CLIENTBEHAVIOR_SCRIPTS_AS_STRING=true
> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
> Key: MYFACES-4280
> URL: https://issues.apache.org/jira/browse/MYFACES-4280
> Project: MyFaces Core
> Issue Type: New Feature
> Reporter: Thomas Andraschko
> Assignee: Werner Punz
> Priority: Major
> Fix For: 3.0.0-SNAPSHOT
>
>
> simple CSP case:
> - add a static nonce via phaselistener/servlerfilter in the headers
> - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just ignores the nonce attribute on scripts and following error occurs in the browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic case which must be supported.
> There are of course other problems like onclick handlers in the DOM or the eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541
--
This message was sent by Atlassian Jira
(v8.3.4#803005)