[ https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617011#comment-17617011 ]
Werner Punz commented on MYFACES-4479: -------------------------------------- I also will add a testcase for this in our integration testsuite, which is pending for merge. Seems like this spec is changing a lot. And yes newer browsers seem to break the nonce handling for security reasons, we probably have to take special care for that during our script evaluation. > The jsf.js script does not read the nonce correctly in modern browsers. > ----------------------------------------------------------------------- > > Key: MYFACES-4479 > URL: https://issues.apache.org/jira/browse/MYFACES-4479 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 2.3-next-M7 > Environment: Myfaces 2.3-next-M7 > Chrome: 106.0.5249.103 > Reporter: Vitaly Sidorov > Assignee: Werner Punz > Priority: Major > > In Chrome it is no longer possible to get a nonce with getAttribute("nonce"). > You can only use HTMLElement.nonce (see: > [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)] > Steps to reproduce: > - set header Content-Security-Policy: script-src 'self' 'nonce-test123' > - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" > target="head"/> > - set parameters > org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and > javax.faces.PROJECT_STAGE=Developement > - open page in browser and get multiple errors in console: > {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline > script because it violates the following Content Security Policy directive: > "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a > hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce > ('nonce-...') is required to enable inline execution.}} > The reason: > The error falls on .appendChild(element) in code > {{var htmlScriptElement = document.head.appendChild(element);}} > {{document.head.removeChild(htmlScriptElement);}} -- This message was sent by Atlassian Jira (v8.20.10#820010)