[jira] [Created] (MYFACES-4280) CSP: nonce attribute on script tags will be ignored on ajax updates

Thomas Andraschko (JIRA) Mon, 28 Jan 2019 02:59:24 -0800

Thomas Andraschko created MYFACES-4280:
------------------------------------------


             Summary: CSP: nonce attribute on script tags will be ignored on 
ajax updates
                 Key: MYFACES-4280
                 URL: https://issues.apache.org/jira/browse/MYFACES-4280
             Project: MyFaces Core
          Issue Type: New Feature
            Reporter: Thomas Andraschko
            Assignee: Werner Punz


simple CSP case:

- add a static nonce via phaselistener/servlerfilter in the headers
- add the the static nonce to a script tag

this works fine for a GET request or non-ajax POST but our ajax engine just 
ignores the nonce attribute on scripts and following error occurs in the 
browser:

Content Security Policy: Die Einstellungen der Seite haben das Laden einer 
Ressource auf inline blockiert ("script-src").


There will probably other tickets in the future but thats the first basic case 
which must be supported



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (MYFACES-4280) CSP: nonce attribute on script tags will be ignored on ajax updates

Reply via email to