[ https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17616988#comment-17616988 ]
Werner Punz commented on MYFACES-4479: -------------------------------------- I will have a look at it, both for the old and for the 4.0 scripts. I remember we had a similar issue before, might have been a regression which went in. A fix will be available probably by tomorrow. > The jsf.js script does not read the nonce correctly in modern browsers. > ----------------------------------------------------------------------- > > Key: MYFACES-4479 > URL: https://issues.apache.org/jira/browse/MYFACES-4479 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 2.3-next-M7 > Environment: Myfaces 2.3-next-M7 > Chrome: 106.0.5249.103 > Reporter: Vitaly Sidorov > Priority: Major > > In Chrome it is no longer possible to get a nonce with getAttribute("nonce"). > You can only use HTMLElement.nonce (see: > [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)] > Steps to reproduce: > - set header Content-Security-Policy: script-src 'self' 'nonce-test123' > - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" > target="head"/> > - set parameters > org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and > javax.faces.PROJECT_STAGE=Developement > - open page in browser and get multiple errors in console: > {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline > script because it violates the following Content Security Policy directive: > "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a > hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce > ('nonce-...') is required to enable inline execution.}} > The reason: > The error falls on .appendChild(element) in code > {{var htmlScriptElement = document.head.appendChild(element);}} > {{document.head.removeChild(htmlScriptElement);}} -- This message was sent by Atlassian Jira (v8.20.10#820010)