[jira] [Commented] (MYFACES-4481) HTML event handlers don't work without 'unsafe-inline'

Mon, 14 Nov 2022 13:24:09 -0800 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634057#comment-17634057
 ] 

Melloware commented on MYFACES-4481:
------------------------------------

Adding [~werpu] as he may know but this would mean the events would need to be 
rewritten not to be inline events. Primefaces had to a write a whole section to 
move events from being inline to being JS calls.

for example:


{code:java}
<button id="btnHello" onclick="sayHello();">Say Hello</button>{code}
Is automatically converted to:
{code:java}
<button id="btnHello">Say Hello</button>{code}
{code:java}
$('#btnHello').on('click', sayHello());{code}

> HTML event handlers don't work without 'unsafe-inline'
> ------------------------------------------------------
>
>                 Key: MYFACES-4481
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4481
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.3-next-M7
>         Environment: Chrome: 106.0.5249.103
>            Reporter: Vitaly Sidorov
>            Priority: Major
>
> HTML event handlers don't work without 'unsafe-inline' in 
> 'Content-Security-Policy' header.
> Steps to reproduce:
>  - use jsf-2.3-next with fixed bug MYFACES-4479
>  - set header Content-Security-Policy: script-src 'self' 'nonce-test123'
>  - set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" 
> target="head"/>
>  - add h:commandLink inside h:form
>  - set parameters 
> org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and 
> javax.faces.PROJECT_STAGE=Developement
>  - open page in browser and click to link
>  - get error in console:
> {{Refused to execute inline event handler because it violates the following 
> Content Security Policy directive: "script-src 'self' 'nonce-test123'". 
> Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce 
> ('nonce-...') is required to enable inline execution. Note that hashes do not 
> apply to event handlers, style attributes and javascript: navigations unless 
> the 'unsafe-hashes' keyword is present.}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to