You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by hn...@apache.org on 2024/03/22 07:08:30 UTC

(myfaces-tobago) branch tobago-5.x updated: fix(demo): CSP example

This is an automated email from the ASF dual-hosted git repository.

hnoeth pushed a commit to branch tobago-5.x
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git


The following commit(s) were added to refs/heads/tobago-5.x by this push:
     new 41d91009ce fix(demo): CSP example
41d91009ce is described below

commit 41d91009ce48952743570682c833b886362904b8
Author: Henning Noeth <hn...@apache.org>
AuthorDate: Wed Mar 20 14:38:42 2024 +0100

    fix(demo): CSP example
    
    * fix CSP example JavaScript
    * remove script-src: unsafe-inline, to fix CSP example; WebSocket example doesn't work now
---
 .../src/main/webapp/WEB-INF/tobago-config.xml      | 32 ++++++++++------------
 .../05-csp/Content_Security_Policy.xhtml           |  8 ++----
 2 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
index 6c182ba4cb..127394ff9a 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
@@ -35,7 +35,7 @@
     </after>
   </ordering>
 
-<!-- using all available themes, if this is not set XXX to be implemented TOBAGO-1664 -->
+  <!-- using all available themes, if this is not set XXX to be implemented TOBAGO-1664 -->
   <theme-config>
     <default-theme>standard</default-theme>
     <supported-theme>scarborough</supported-theme>
@@ -47,14 +47,14 @@
   </theme-config>
 
   <!-- currently you need to switch this check off for quarkus -->
-<!--  <check-session-secret>false</check-session-secret>-->
+  <!--  <check-session-secret>false</check-session-secret>-->
 
   <!-- This is needed for the testing functionality of the demo, it works with iframes -->
   <prevent-frame-attacks>false</prevent-frame-attacks>
 
   <content-security-policy mode="on">
-    <!-- script-src: 'unsafe-inline' is required for WebSockets -->
-    <directive name="script-src">'unsafe-inline'</directive>
+    <!-- script-src: 'unsafe-inline' is required for WebSockets but breaks the CSP example -->
+    <!-- <directive name="script-src">'unsafe-inline'</directive> -->
 
     <!-- needed for <tc:object> demo -->
     <directive name="child-src">https://www.openstreetmap.org</directive>
@@ -62,8 +62,6 @@
 
     <!-- needed for the test suite -->
     <directive name="child-src">'self'</directive>
-
-    <!-- needed for the test suite -->
     <directive name="frame-ancestors">'self'</directive>
 
     <!-- needed for the tinymce editor demo -->
@@ -79,17 +77,17 @@
   <!-- "disable" is the default -->
   <!--<security-annotation>disable</security-annotation>-->
 
-<!-- this is the default...
-  <sanitizer>
-    <sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
-    <properties>
-      &lt;!&ndash;
-       Use one of: basic, basicWithImages, relaxed, simpleText or none
-       &ndash;&gt;
-      <entry key="safelist">relaxed</entry>
-    </properties>
-  </sanitizer>
--->
+  <!-- this is the default...
+    <sanitizer>
+      <sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
+      <properties>
+        &lt;!&ndash;
+         Use one of: basic, basicWithImages, relaxed, simpleText or none
+         &ndash;&gt;
+        <entry key="safelist">relaxed</entry>
+      </properties>
+    </sanitizer>
+  -->
 
   <!-- "false" disables the TobagoExceptionHandler -->
   <!--<enable-tobago-exception-handler>false</enable-tobago-exception-handler>-->
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml
index 378f572441..3c451a0b77 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/05-csp/Content_Security_Policy.xhtml
@@ -47,11 +47,9 @@
           value="When you can read this text, the content was manipulated by JavaScript. It seems, your browser doesn't support CSP!"/>
       <i class="bi-exclamation-triangle fs-2 text-danger"></i>
     </tc:panel>
-    <script type="application/javascript">
-      document.addEventListener("DOMContentLoaded", function (event) {
-        document.getElementById("page:mainForm:panel-good").classList.add("d-none");
-        document.getElementById("page:mainForm:panel-bad").classList.remove("d-none");
-      });</script>
+    <!--@formatter:off-->
+    <script type="application/javascript">document.addEventListener("DOMContentLoaded", function (event) {document.getElementById("page:mainForm:panel-good").classList.add("d-none");document.getElementById("page:mainForm:panel-bad").classList.remove("d-none");});</script>
+    <!--@formatter:on-->
   </tc:box>
 
 </ui:composition>