[ https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887854#comment-16887854 ]
Werner Punz commented on MYFACES-4280: -------------------------------------- ok loadScriptByBrowser is basically dead code, I will eliminate that one. There the head appendix method basically is the last fallback which no modern browser atm falls into since they all support eval. I really would need a proper example here on how to trigger this via ajax. I ran a set of tests and I could only trigger it by having embedded script tags with no nonce attributes set. But this is hardly anything I can do something on my side about. This needs a fix on outputscript if there is none already present. So here is my request. Can you provide a proper mini example (just one page) with your exact case. A war suffices or even an xhtml page. > CSP: nonce attribute on script tags will be ignored on ajax updates > ------------------------------------------------------------------- > > Key: MYFACES-4280 > URL: https://issues.apache.org/jira/browse/MYFACES-4280 > Project: MyFaces Core > Issue Type: New Feature > Reporter: Thomas Andraschko > Assignee: Werner Punz > Priority: Major > > simple CSP case: > - add a static nonce via phaselistener/servlerfilter in the headers > - add the the static nonce to a script tag > this works fine for a GET request or non-ajax POST but our ajax engine just > ignores the nonce attribute on scripts and following error occurs in the > browser: > Content Security Policy: Die Einstellungen der Seite haben das Laden einer > Ressource auf inline blockiert ("script-src"). > There will probably other tickets in the future but thats the first basic > case which must be supported. > There are of course other problems like onclick handlers in the DOM or the > eval node in the partial-response. > Similar to: https://github.com/jquery/jquery/issues/3541 -- This message was sent by Atlassian JIRA (v7.6.14#76016)