Vitaly Sidorov created MYFACES-4479:
---------------------------------------
Summary: The jsf.js script does not read the nonce correctly in
modern browsers.
Key: MYFACES-4479
URL: https://issues.apache.org/jira/browse/MYFACES-4479
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 2.3-next-M7
Environment: Myfaces 2.3-next-M7
Chrome: 106.0.5249.103
Reporter: Vitaly Sidorov
In Chrome it is no longer possible to get a nonce with getAttribute("nonce").
You can only use HTMLElement.nonce (see:
[https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)]
Steps to reproduce:
- set header Content-Security-Policy: script-src 'self' 'nonce-test123'
- set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js"
target="head"/>
- set parameters
org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and
javax.faces.PROJECT_STAGE=Developement
- open page in browser and get multiple errors in console:
{{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline
script because it violates the following Content Security Policy directive:
"script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a hash
('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce
('nonce-...') is required to enable inline execution.}}
The reason:
The error falls on .appendChild(element) in code
{{var htmlScriptElement = document.head.appendChild(element);}}
{{document.head.removeChild(htmlScriptElement);}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
