[
https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887854#comment-16887854
]
Werner Punz commented on MYFACES-4280:
--------------------------------------
ok loadScriptByBrowser is basically dead code, I will eliminate that one.
There the head appendix method basically is the last fallback which no modern
browser atm falls into since they all support eval.
I really would need a proper example here on how to trigger this via ajax. I
ran a set of tests and I could only trigger it by having embedded script tags
with no nonce attributes set. But this is hardly anything I can do something on
my side about. This needs a fix on outputscript if there is none already
present.
So here is my request. Can you provide a proper mini example (just one page)
with your exact case. A war suffices or even an xhtml page.
> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
> Key: MYFACES-4280
> URL: https://issues.apache.org/jira/browse/MYFACES-4280
> Project: MyFaces Core
> Issue Type: New Feature
> Reporter: Thomas Andraschko
> Assignee: Werner Punz
> Priority: Major
>
> simple CSP case:
> - add a static nonce via phaselistener/servlerfilter in the headers
> - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just
> ignores the nonce attribute on scripts and following error occurs in the
> browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer
> Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic
> case which must be supported.
> There are of course other problems like onclick handlers in the DOM or the
> eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
