[
https://issues.apache.org/jira/browse/MYFACES-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634011#comment-17634011
]
Vitaly Sidorov commented on MYFACES-4481:
-----------------------------------------
any ideas?
> HTML event handlers don't work without 'unsafe-inline'
> ------------------------------------------------------
>
> Key: MYFACES-4481
> URL: https://issues.apache.org/jira/browse/MYFACES-4481
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.3-next-M7
> Environment: Chrome: 106.0.5249.103
> Reporter: Vitaly Sidorov
> Priority: Major
>
> HTML event handlers don't work without 'unsafe-inline' in
> 'Content-Security-Policy' header.
> Steps to reproduce:
> - use jsf-2.3-next with fixed bug MYFACES-4479
> - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
> - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js"
> target="head"/>
> - add h:commandLink inside h:form
> - set parameters
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and
> javax.faces.PROJECT_STAGE=Developement
> - open page in browser and click to link
> - get error in console:
> {{Refused to execute inline event handler because it violates the following
> Content Security Policy directive: "script-src 'self' 'nonce-test123'".
> Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
> ('nonce-...') is required to enable inline execution. Note that hashes do not
> apply to event handlers, style attributes and javascript: navigations unless
> the 'unsafe-hashes' keyword is present.}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
