You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2017/09/20 08:22:00 UTC
[myfaces-tobago] 02/02: TOBAGO-1791: There should be a "nonce" for
each request to protect CSS with CSP * using nonce only for inline src
(also only for style, currently we have no inline scripts)
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
commit 3657a5e613961e04a6bc2c9cd0755a403cea0fac
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Wed Sep 20 10:21:30 2017 +0200
TOBAGO-1791: There should be a "nonce" for each request to protect CSS with CSP
* using nonce only for inline src (also only for style, currently we have no inline scripts)
---
.../myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java | 2 --
.../myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java | 1 -
tobago-core/src/main/resources/META-INF/tobago-config.xml | 4 +++-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java
index c87fe2f..7b98399 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java
@@ -20,7 +20,6 @@
package org.apache.myfaces.tobago.internal.renderkit.renderer;
import org.apache.myfaces.tobago.internal.component.AbstractUIScript;
-import org.apache.myfaces.tobago.internal.context.Nonce;
import org.apache.myfaces.tobago.renderkit.RendererBase;
import org.apache.myfaces.tobago.renderkit.html.HtmlAttributes;
import org.apache.myfaces.tobago.renderkit.html.HtmlElements;
@@ -44,7 +43,6 @@ public class ScriptRenderer extends RendererBase {
// XXX with defer activated, pages are not shown reliable
// writer.writeAttribute(HtmlAttributes.DEFER, true);
writer.writeAttribute(HtmlAttributes.TYPE, "text/javascript", false);
- writer.writeAttribute(HtmlAttributes.NONCE, Nonce.getNonce(facesContext), false);
writer.endElement(HtmlElements.SCRIPT);
}
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java
index 6a694a3..fbdb4a3 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java
@@ -58,7 +58,6 @@ public class StyleRenderer extends RendererBase {
writer.writeAttribute(HtmlAttributes.HREF, file, true);
// writer.writeAttribute(HtmlAttributes.MEDIA, "screen", false);
writer.writeAttribute(HtmlAttributes.TYPE, "text/css", false);
- writer.writeAttribute(HtmlAttributes.NONCE, Nonce.getNonce(facesContext), false);
writer.endElement(HtmlElements.LINK);
} else {
diff --git a/tobago-core/src/main/resources/META-INF/tobago-config.xml b/tobago-core/src/main/resources/META-INF/tobago-config.xml
index 9979556..e6c046e 100644
--- a/tobago-core/src/main/resources/META-INF/tobago-config.xml
+++ b/tobago-core/src/main/resources/META-INF/tobago-config.xml
@@ -26,8 +26,10 @@
<name>tobago-config</name>
<content-security-policy mode="on">
+ <directive name="style-src">'unsafe-inline'</directive> <!-- is only active, when browser doesn't support nonce -->
<directive name="style-src">'nonce-${nonce}'</directive>
- <directive name="script-src">'nonce-${nonce}'</directive>
+ <directive name="style-src">'self'</directive>
+ <directive name="script-src">'self'</directive>
</content-security-policy>
</tobago-config>
--
To stop receiving notification emails like this one, please contact
"commits@myfaces.apache.org" <co...@myfaces.apache.org>.