Vitaly Sidorov created MYFACES-4481:
---------------------------------------
Summary: HTML event handlers don't work without 'unsafe-inline'
Key: MYFACES-4481
URL: https://issues.apache.org/jira/browse/MYFACES-4481
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 2.3-next-M7
Environment: Chrome: 106.0.5249.103
Reporter: Vitaly Sidorov
HTML event handlers don't work without 'unsafe-inline' in
'Content-Security-Policy' header.
Steps to reproduce:
- set header Content-Security-Policy: script-src 'self' 'nonce-test123'
- set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js"
target="head"/>
- add h:commandLink inside h:form
- set parameters
org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and
javax.faces.PROJECT_STAGE=Developement
- open page in browser and click to link
- get error in console:
{{Refused to execute inline event handler because it violates the following
Content Security Policy directive: "script-src 'self' 'nonce-test123'". Either
the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is
required to enable inline execution. Note that hashes do not apply to event
handlers, style attributes and javascript: navigations unless the
'unsafe-hashes' keyword is present.}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
