[
https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617529#comment-17617529
]
Werner Punz edited comment on MYFACES-4479 at 10/14/22 7:23 AM:
----------------------------------------------------------------
I have added the tests and fixes to my pull requests for the integrationtests
and the new typescript scripts (all in the pull requests which are pending for
RC3).
I will now tackle the old codebase.
When fixing this on my new code, I noticed that the fixes proposed in the patch
do not suffice entirely, because "nonce" is not handled properly for embedded
scripts (which are concatenated and then executed as once via the global nonce
we have for jsf.jsf
This works, if the embedded script is not "nonced" but if there is a nonce flag
we have to pull out of this scheme and eval with the nonce it has (and eval the
concatenated scripts before)
I added 4 cases to my tests to handle the 4 possible scenarii
* failing nonce, for script src,
* non failing nonce for script src,
* and the same for embedded scripts
So my plan for today is:
I will backport my intrgration tests to JSF 2.3 and then will take the patches
in and fix the eval behavior as well.
The 4.0 codebase is working already and committed, you can get the code from
the pull request.
Question is, since we are going to migrate the code anyway for 4.0 RC3 to the
new Typescript code, are we going to fix this for 4.0RC2 on the old codebase as
well?
There is not too much sense to perform this extra work in this case given that
the code soon will be dropped anyway.
2.3 is out of the question we are not going to migrate despite having the
possibility (I have a working 2.3 version of my new code in my github project)
was (Author: werpu):
I have added the tests and fixes to my pull requests for the integrationtests
and the new scripts.
I will now tackle the old codebase.
When fixing this on my new code, I noticed that the fixes proposed in the patch
do not suffice entirely, because nonce is not handled properly for embedded
scripts (which are concatenated and then executed as once via the global nonce
we have for jsf.js)
This works, if the embedded script is not "nonced" but if there is a nonce flag
we have to pull out of this scheme and eval with the nonce it has (and eval the
concatenated scripts before)
I added 4 cases to my tests to handle the 4 possible scenarii
* failing nonce, for script src,
* non failing nonce for script src,
* and the same for embedded scripts
So my plan for today is:
I will backport my intrgration tests to JSF 2.3 and then will take the patches
in and fix the eval behavior as well.
The 4.0 codebase is working already and committed, you can get the code from
the pull request.
Question is, since we are going to migrate the code anyway for 4.0 RC3 to the
new Typescript code, are we going to fix this for 4.0RC2 on the old codebase as
well?
There is not too much sense to perform this extra work in this case given that
the code soon will be dropped anyway.
2.3 is out of the question we are not going to migrate despite having the
possibility (I have a working 2.3 version of my new code in my github project)
> The jsf.js script does not read the nonce correctly in modern browsers.
> -----------------------------------------------------------------------
>
> Key: MYFACES-4479
> URL: https://issues.apache.org/jira/browse/MYFACES-4479
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 4.0.0-RC1, 2.3.10, 2.3-next-M7
> Environment: Myfaces 2.3-next-M7
> Chrome: 106.0.5249.103
> Reporter: Vitaly Sidorov
> Assignee: Werner Punz
> Priority: Major
>
> In Chrome it is no longer possible to get a nonce with getAttribute("nonce").
> You can only use HTMLElement.nonce (see:
> [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)]
> Steps to reproduce:
> - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
> - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js"
> target="head"/>
> - set parameters
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and
> javax.faces.PROJECT_STAGE=Developement
> - open page in browser and get multiple errors in console:
> {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline
> script because it violates the following Content Security Policy directive:
> "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a
> hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce
> ('nonce-...') is required to enable inline execution.}}
> The reason:
> The error falls on .appendChild(element) in code
> {{var htmlScriptElement = document.head.appendChild(element);}}
> {{document.head.removeChild(htmlScriptElement);}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
