[MYFACES-4280] CSP: nonce attribute on script tags will be ignored on ajax updates - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.3-next-M1
Component/s: None
Labels:
None

Description

simple CSP case:

add a static nonce via phaselistener/servlerfilter in the headers
add the the static nonce to a script tag

this works fine for a GET request or non-ajax POST but our ajax engine just ignores the nonce attribute on scripts and following error occurs in the browser:

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src").

There will probably other tickets in the future but thats the first basic case which must be supported.
There are of course other problems like onclick handlers in the DOM or the eval node in the partial-response.

Similar to: https://github.com/jquery/jquery/issues/3541

Attachments

Activity

People

Assignee:: Werner Punz

Reporter:: Thomas Andraschko

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 28/Jan/19 10:41

Updated:: 30/Sep/19 16:58

Resolved:: 30/Sep/19 16:58