[jira] [Comment Edited] (MYFACES-4479) The jsf.js script does not read the nonce correctly in modern browsers.

Thu, 13 Oct 2022 05:23:22 -0700 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17616988#comment-17616988
 ] 

Werner Punz edited comment on MYFACES-4479 at 10/13/22 12:22 PM:
-----------------------------------------------------------------

I will have a look at it, both for the old and for the 4.0 scripts.

A fix will be available probably by tomorrow.

 


was (Author: werpu):
I will have a look at it, both for the old and for the 4.0 scripts.

 

A fix will be available probably by tomorrow.

 

> The jsf.js script does not read the nonce correctly in modern browsers.
> -----------------------------------------------------------------------
>
>                 Key: MYFACES-4479
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4479
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.3-next-M7
>         Environment: Myfaces 2.3-next-M7
> Chrome: 106.0.5249.103
>            Reporter: Vitaly Sidorov
>            Assignee: Werner Punz
>            Priority: Major
>
> In Chrome it is no longer possible to get a nonce with getAttribute("nonce").
> You can only use HTMLElement.nonce (see: 
> [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)]
> Steps to reproduce:
> - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
> - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" 
> target="head"/>
> - set parameters 
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and 
> javax.faces.PROJECT_STAGE=Developement
> - open page in browser and get multiple errors in console: 
> {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline 
> script because it violates the following Content Security Policy directive: 
> "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a 
> hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce 
> ('nonce-...') is required to enable inline execution.}}
> The reason:
> The error falls on .appendChild(element) in code
> {{var htmlScriptElement = document.head.appendChild(element);}}
> {{document.head.removeChild(htmlScriptElement);}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to