[jira] [Comment Edited] (MYFACES-4280) CSP: nonce attribute on script tags will be ignored on ajax updates

Thu, 18 Jul 2019 02:59:34 -0700 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887811#comment-16887811
 ] 

Werner Punz edited comment on MYFACES-4280 at 7/18/19 9:58 AM:
---------------------------------------------------------------

It would be easier to tackle the issue with a proper working example. However 
we have several parts where nonce needs to be added on the client side. 
loadScriptByBrowser, the css loading part, and the eval fallback which utilizes 
the head appendix method.

However this does not resolve the problem that nonce also must be added to 
h:outputscript i cannot append nonce on the client side to scripts which come 
in via ajax and h:outputscript.

The example must be the loadScriptByBrowser case, because a src attribute is 
mentioned and this is the only script eval case where a browser rendering 
engine fallback is performed instead of using eval and xhr

 

 

 


was (Author: werpu):
It would be easier to tackle the issue with a proper working example. However 
we have several parts where nonce needs to be added on the client side. 
loadScriptByBrowser, the css loading part, and the eval fallback which utilizes 
the head appendix method.

However this does not resolve the problem that nonce also must be added to 
h:outputscript i cannot append nonce on the client side to scripts which come 
in via ajax and h:outputscript

 

 

> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
>                 Key: MYFACES-4280
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4280
>             Project: MyFaces Core
>          Issue Type: New Feature
>            Reporter: Thomas Andraschko
>            Assignee: Werner Punz
>            Priority: Major
>
> simple CSP case:
>  - add a static nonce via phaselistener/servlerfilter in the headers
>  - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just 
> ignores the nonce attribute on scripts and following error occurs in the 
> browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer 
> Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic 
> case which must be supported.
>  There are of course other problems like onclick handlers in the DOM or the 
> eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to