[
https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617529#comment-17617529
]
Werner Punz commented on MYFACES-4479:
--------------------------------------
I have added the tests and fixes to my pull requests for the integrationtests
and the new scripts.
I will now tackle the old codebase. When fixing this on my new code, I noticed
that the fixes proposed in the patch do not suffice entirely, because nonce is
not handled properly for embedded scripts (which are concatenated and then
executed as once via the global nonce we have for jsf.js)
This works if the embedded script is not "nonced" but if there is a nonce flag
we have to pull out of this scheme and eval with the nonce it has (and eval the
concatenated scripts before)
I added 4 cases to my tests to handle the 4 possible scenarii
(failing nonce, for script src, non failing nonce for script src, and the same
for embedded scripts)
So my plan for today is, I will backport my intrgration tests to jsf 2.3 and
then will take the patches in and fix the eval behavior as well.
The 4.0 codebase is working already and comitted, you can get the code from the
pull request. Question is, since we are going to migrate the code anyway for
4.0 RC3 to the new typescript code, are we going to fix this for 4.0RC2 on the
old codebase?
There is not too much sense to perform this extra work in this case.
> The jsf.js script does not read the nonce correctly in modern browsers.
> -----------------------------------------------------------------------
>
> Key: MYFACES-4479
> URL: https://issues.apache.org/jira/browse/MYFACES-4479
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 4.0.0-RC1, 2.3.10, 2.3-next-M7
> Environment: Myfaces 2.3-next-M7
> Chrome: 106.0.5249.103
> Reporter: Vitaly Sidorov
> Assignee: Werner Punz
> Priority: Major
>
> In Chrome it is no longer possible to get a nonce with getAttribute("nonce").
> You can only use HTMLElement.nonce (see:
> [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)]
> Steps to reproduce:
> - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
> - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js"
> target="head"/>
> - set parameters
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and
> javax.faces.PROJECT_STAGE=Developement
> - open page in browser and get multiple errors in console:
> {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline
> script because it violates the following Content Security Policy directive:
> "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a
> hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce
> ('nonce-...') is required to enable inline execution.}}
> The reason:
> The error falls on .appendChild(element) in code
> {{var htmlScriptElement = document.head.appendChild(element);}}
> {{document.head.removeChild(htmlScriptElement);}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
