[
https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617048#comment-17617048
]
Werner Punz edited comment on MYFACES-4479 at 10/13/22 1:22 PM:
----------------------------------------------------------------
So first of all thanks for reporting the bug, this went under my radar.
I have a small testcase working, which needs to be fleshed out more., following,
at the first look, I have to run the tests, your patch seems valid
item.getAttribute("nonce") does not work anymore
but item.nonce still returns the nonce value.
I have the same issue in my new code, respectively its underlying baselib.
I will test your pull request once my new testcase is properly integrated and
if all is well, I will merge it tomorrow.
I also have to fix the faces_ts nextgen codebase for 4.0.
was (Author: werpu):
I have a small testcase working, which needs to be fleshed out more., following,
at the first look, I have to run the tests, your patch seems valid
item.getAttribute("nonce") does not work anymore
but item.nonce still returns the nonce value.
I have the same issue in my new code, respectively its underlying baselib.
I will test your pull request once my new testcase is properly integrated and
if all is well, I will merge it tomorrow.
I also have to fix the faces_ts nextgen codebase for 4.0.
So first of all thanks for reporting the bug, this went under my radar.
> The jsf.js script does not read the nonce correctly in modern browsers.
> -----------------------------------------------------------------------
>
> Key: MYFACES-4479
> URL: https://issues.apache.org/jira/browse/MYFACES-4479
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.3-next-M7
> Environment: Myfaces 2.3-next-M7
> Chrome: 106.0.5249.103
> Reporter: Vitaly Sidorov
> Assignee: Werner Punz
> Priority: Major
>
> In Chrome it is no longer possible to get a nonce with getAttribute("nonce").
> You can only use HTMLElement.nonce (see:
> [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)]
> Steps to reproduce:
> - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
> - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js"
> target="head"/>
> - set parameters
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and
> javax.faces.PROJECT_STAGE=Developement
> - open page in browser and get multiple errors in console:
> {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline
> script because it violates the following Content Security Policy directive:
> "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a
> hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce
> ('nonce-...') is required to enable inline execution.}}
> The reason:
> The error falls on .appendChild(element) in code
> {{var htmlScriptElement = document.head.appendChild(element);}}
> {{document.head.removeChild(htmlScriptElement);}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
