[jira] [Comment Edited] (MYFACES-4280) CSP: nonce attribute on script tags will be ignored on ajax updates

Fri, 19 Jul 2019 02:14:15 -0700 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16888727#comment-16888727
 ] 

Werner Punz edited comment on MYFACES-4280 at 7/19/19 9:13 AM:
---------------------------------------------------------------

Ok fixed, I now only apply the head appendix method as eval, and also pass the 
nonce attribute wherever possible.

At least in my tests which resembles Thomas testcase it works now. My 
integration tests also pass.

Please give my patches a proper run in real life, and then close this issue.

Also some now unused legacy code was dumped along the lines (RTQirks and the 
global eval handling via eval instead of head append(

 

 

 


was (Author: werpu):
Ok fixed, I now only apply the head appendix method as eval, and also pass the 
nonce attribute wherever possible.

At least in my tests which resembles Thomas testcase it works now. My 
integration tests also pass.

Please give my patches a proper run in real life, and then close this issue.

 

 

> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
>                 Key: MYFACES-4280
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4280
>             Project: MyFaces Core
>          Issue Type: New Feature
>            Reporter: Thomas Andraschko
>            Assignee: Werner Punz
>            Priority: Major
>
> simple CSP case:
>  - add a static nonce via phaselistener/servlerfilter in the headers
>  - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just 
> ignores the nonce attribute on scripts and following error occurs in the 
> browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer 
> Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic 
> case which must be supported.
>  There are of course other problems like onclick handlers in the DOM or the 
> eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to