[jira] [Comment Edited] (MYFACES-4479) The jsf.js script does not read the nonce correctly in modern browsers.

Fri, 14 Oct 2022 05:01:15 -0700 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617650#comment-17617650
 ] 

Werner Punz edited comment on MYFACES-4479 at 10/14/22 12:00 PM:
-----------------------------------------------------------------

The fix is in for 2.3 next and the new 4.0RC3 codebase, please test it.

I will also crossport the fix for RC2

 


was (Author: werpu):
The fix is in for 2.3 next and the new 4.0RC3 codebase, please test it.

Question is are we going to take the fix in also for RC2 or are we going to 
wait for RC3 to have it automatically with the new scripts?

 

> The jsf.js script does not read the nonce correctly in modern browsers.
> -----------------------------------------------------------------------
>
>                 Key: MYFACES-4479
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4479
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 4.0.0-RC1, 2.3.10, 2.3-next-M7
>         Environment: Myfaces 2.3-next-M7
> Chrome: 106.0.5249.103
>            Reporter: Vitaly Sidorov
>            Assignee: Werner Punz
>            Priority: Major
>
> In Chrome it is no longer possible to get a nonce with getAttribute("nonce").
> You can only use HTMLElement.nonce (see: 
> [https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)]
> Steps to reproduce:
> - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
> - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" 
> target="head"/>
> - set parameters 
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and 
> javax.faces.PROJECT_STAGE=Developement
> - open page in browser and get multiple errors in console: 
> {{jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline 
> script because it violates the following Content Security Policy directive: 
> "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a 
> hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce 
> ('nonce-...') is required to enable inline execution.}}
> The reason:
> The error falls on .appendChild(element) in code
> {{var htmlScriptElement = document.head.appendChild(element);}}
> {{document.head.removeChild(htmlScriptElement);}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to