[ https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617180#comment-17617180 ]
Werner Punz edited comment on MYFACES-4479 at 10/13/22 4:38 PM: ---------------------------------------------------------------- Thanks for changing the versions, I already have the fix working for the 4.0 scripts and a set of tests on top of it. Will cross check the old codebase tomorrow. Expect both to be fixed sometime tomorrow and a set of new tests in the integration testsuite. was (Author: werpu): Thanks for changing the versions, I already have the fix working for the 4.0 scripts and a set of tests on top of it. Will cross check the old codebase tomorrow. Expect both to be fixed sometime tomorrow. > The jsf.js script does not read the nonce correctly in modern browsers. > ----------------------------------------------------------------------- > > Key: MYFACES-4479 > URL: https://issues.apache.org/jira/browse/MYFACES-4479 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 4.0.0-RC1, 2.3.10, 2.3-next-M7 > Environment: Myfaces 2.3-next-M7 > Chrome: 106.0.5249.103 > Reporter: Vitaly Sidorov > Assignee: Werner Punz > Priority: Major > > In Chrome it is no longer possible to get a nonce with getAttribute("nonce"). > You can only use HTMLElement.nonce (see: > [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)] > Steps to reproduce: > - set header Content-Security-Policy: script-src 'self' 'nonce-test123' > - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" > target="head"/> > - set parameters > org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and > javax.faces.PROJECT_STAGE=Developement > - open page in browser and get multiple errors in console: > {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline > script because it violates the following Content Security Policy directive: > "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a > hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce > ('nonce-...') is required to enable inline execution.}} > The reason: > The error falls on .appendChild(element) in code > {{var htmlScriptElement = document.head.appendChild(element);}} > {{document.head.removeChild(htmlScriptElement);}} -- This message was sent by Atlassian Jira (v8.20.10#820010)