You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by hn...@apache.org on 2024/03/22 07:08:30 UTC
(myfaces-tobago) branch tobago-5.x updated: fix(demo): CSP example
This is an automated email from the ASF dual-hosted git repository.
hnoeth pushed a commit to branch tobago-5.x
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
The following commit(s) were added to refs/heads/tobago-5.x by this push:
new 41d91009ce fix(demo): CSP example
41d91009ce is described below
commit 41d91009ce48952743570682c833b886362904b8
Author: Henning Noeth <hn...@apache.org>
AuthorDate: Wed Mar 20 14:38:42 2024 +0100
fix(demo): CSP example
* fix CSP example JavaScript
* remove script-src: unsafe-inline, to fix CSP example; WebSocket example doesn't work now
---
.../src/main/webapp/WEB-INF/tobago-config.xml | 32 ++++++++++------------
.../05-csp/Content_Security_Policy.xhtml | 8 ++----
2 files changed, 18 insertions(+), 22 deletions(-)
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
index 6c182ba4cb..127394ff9a 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
@@ -35,7 +35,7 @@
</after>
</ordering>
-<!-- using all available themes, if this is not set XXX to be implemented TOBAGO-1664 -->
+ <!-- using all available themes, if this is not set XXX to be implemented TOBAGO-1664 -->
<theme-config>
<default-theme>standard</default-theme>
<supported-theme>scarborough</supported-theme>
@@ -47,14 +47,14 @@
</theme-config>
<!-- currently you need to switch this check off for quarkus -->
-<!-- <check-session-secret>false</check-session-secret>-->
+ <!-- <check-session-secret>false</check-session-secret>-->
<!-- This is needed for the testing functionality of the demo, it works with iframes -->
<prevent-frame-attacks>false</prevent-frame-attacks>
<content-security-policy mode="on">
- <!-- script-src: 'unsafe-inline' is required for WebSockets -->
- <directive name="script-src">'unsafe-inline'</directive>
+ <!-- script-src: 'unsafe-inline' is required for WebSockets but breaks the CSP example -->
+ <!-- <directive name="script-src">'unsafe-inline'</directive> -->
<!-- needed for <tc:object> demo -->
<directive name="child-src">https://www.openstreetmap.org</directive>
@@ -62,8 +62,6 @@
<!-- needed for the test suite -->
<directive name="child-src">'self'</directive>
-
- <!-- needed for the test suite -->
<directive name="frame-ancestors">'self'</directive>
<!-- needed for the tinymce editor demo -->
@@ -79,17 +77,17 @@
<!-- "disable" is the default -->
<!--<security-annotation>disable</security-annotation>-->
-<!-- this is the default...
- <sanitizer>
- <sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
- <properties>
- <!–
- Use one of: basic, basicWithImages, relaxed, simpleText or none
- –>
- <entry key="safelist">relaxed</entry>
- </properties>
- </sanitizer>
--->
+ <!-- this is the default...
+ <sanitizer>
+ <sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
+ <properties>
+ <!–
+ Use one of: basic, basicWithImages, relaxed, simpleText or none
+ –>
+ <entry key="safelist">relaxed</entry>
+ </properties>
+ </sanitizer>
+ -->
<!-- "false" disables the TobagoExceptionHandler -->
<!--<enable-tobago-exception-handler>false</enable-tobago-exception-handler>-->
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml
index 378f572441..3c451a0b77 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml
@@ -47,11 +47,9 @@
value="When you can read this text, the content was manipulated by JavaScript. It seems, your browser doesn't support CSP!"/>
<i class="bi-exclamation-triangle fs-2 text-danger"></i>
</tc:panel>
- <script type="application/javascript">
- document.addEventListener("DOMContentLoaded", function (event) {
- document.getElementById("page:mainForm:panel-good").classList.add("d-none");
- document.getElementById("page:mainForm:panel-bad").classList.remove("d-none");
- });</script>
+ <!--@formatter:off-->
+ <script type="application/javascript">document.addEventListener("DOMContentLoaded", function (event) {document.getElementById("page:mainForm:panel-good").classList.add("d-none");document.getElementById("page:mainForm:panel-bad").classList.remove("d-none");});</script>
+ <!--@formatter:on-->
</tc:box>
</ui:composition>