[
https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887965#comment-16887965
]
Werner Punz edited comment on MYFACES-4280 at 7/18/19 1:15 PM:
---------------------------------------------------------------
the issue is csp difference related.
Thomas provided me with an example.
The example worked in Chrome
It failed in firefox
The reason is that firefox prohibits eval per default while chrome allows it.
Now the myfaces codebase relies on eval to run the inline scripts
and generically fetch the namespace modules.
A short workaround would be to allow eval, a long fix probably will be to
investigate if there is an eval with nonce possible or a move to the header
appendix method only for everything eval and use nonce there.
I have to do some investigation on how to fix this properly. In the meanwhile
simply explicitely enable eval so that firefox and chrome have the same CSP
behavior.
was (Author: werpu):
the issue is csp difference related.
Thomas provided me with an example.
The example worked in Chrome
It failed in firefox
The reason is that firefox prohibits eval per default while chrome allows it.
Now the myfaces codebase relies on eval to run the inline scripts
and generically fetch the namespace modules.
A short workaround would be to allow eval, a long fix probably will be to
investigate if there is an eval with nonce possible or a move to the header
appendix method only for everything eval and use nonce there.
> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
> Key: MYFACES-4280
> URL: https://issues.apache.org/jira/browse/MYFACES-4280
> Project: MyFaces Core
> Issue Type: New Feature
> Reporter: Thomas Andraschko
> Assignee: Werner Punz
> Priority: Major
>
> simple CSP case:
> - add a static nonce via phaselistener/servlerfilter in the headers
> - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just
> ignores the nonce attribute on scripts and following error occurs in the
> browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer
> Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic
> case which must be supported.
> There are of course other problems like onclick handlers in the DOM or the
> eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
