[jira] [Commented] (MYFACES-4280) CSP: nonce attribute on script tags will be ignored on ajax updates

Thu, 18 Jul 2019 00:35:47 -0700 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887718#comment-16887718
 ] 

Werner Punz commented on MYFACES-4280:
--------------------------------------

Just a short discussion start here, after reading up on nonce (this is coming 
in from html5.1 hence it is not implemented yet). We need a proper way to deal 
with it on the server as well. The issue is nonce should be used once for 
security reasons.

Hence the ajax response probably will not issue updated nonce numbers. Which 
means every request will recycle the initial nonce.

I for once will implement nonce as is by just checking for an existing page 
nonce and forward it to the ajax request, but we might have to use the extends 
flag in the response protocol for a new nonce from time to time. The issue is 
that some old nonce might be issued before the updated nonce comes in. So I am 
not sure how to resolve that properly, maybe by a nonce list and timestamp 
which kills old nonce values after a fixed period of time.

 

> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
>                 Key: MYFACES-4280
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4280
>             Project: MyFaces Core
>          Issue Type: New Feature
>            Reporter: Thomas Andraschko
>            Assignee: Werner Punz
>            Priority: Major
>
> simple CSP case:
>  - add a static nonce via phaselistener/servlerfilter in the headers
>  - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just 
> ignores the nonce attribute on scripts and following error occurs in the 
> browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer 
> Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic 
> case which must be supported.
>  There are of course other problems like onclick handlers in the DOM or the 
> eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to