[ https://issues.apache.org/jira/browse/MYFACES-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634011#comment-17634011 ]
Vitaly Sidorov commented on MYFACES-4481: ----------------------------------------- any ideas? > HTML event handlers don't work without 'unsafe-inline' > ------------------------------------------------------ > > Key: MYFACES-4481 > URL: https://issues.apache.org/jira/browse/MYFACES-4481 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 2.3-next-M7 > Environment: Chrome: 106.0.5249.103 > Reporter: Vitaly Sidorov > Priority: Major > > HTML event handlers don't work without 'unsafe-inline' in > 'Content-Security-Policy' header. > Steps to reproduce: > - use jsf-2.3-next with fixed bug MYFACES-4479 > - set header Content-Security-Policy: script-src 'self' 'nonce-test123' > - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" > target="head"/> > - add h:commandLink inside h:form > - set parameters > org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and > javax.faces.PROJECT_STAGE=Developement > - open page in browser and click to link > - get error in console: > {{Refused to execute inline event handler because it violates the following > Content Security Policy directive: "script-src 'self' 'nonce-test123'". > Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce > ('nonce-...') is required to enable inline execution. Note that hashes do not > apply to event handlers, style attributes and javascript: navigations unless > the 'unsafe-hashes' keyword is present.}} -- This message was sent by Atlassian Jira (v8.20.10#820010)