You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
in PrimeFaces we are currently working on a CSP prototype.
Basically PrimeFaces can do all the work, however it's currently impossible to support f:ajax.
Lets talk about a simple case:
add a "static" nonce header via phaselistener/servletfilter
add a "static" nonce attribute to a script tag
If you open the view via the first GET or submit the form via non-ajax, everything works fine.
But if you update via AJAX e.g. a form, JSF process the update node in the partial-response - BUT - it ignores the nonce attributes on script tags.
Thats basically the same problem: Issue using JQuery 3.1.1 and CSP jquery/jquery#3541
As you may already know, PrimeFaces offers a way to execute javascript from a ManagedBean (RequestContext#execute).
This functionality is based on the eval node in the partial-response.
We could easily add a nonce support here if we would add a nonce attribute to the eval node.
Both issues can probably be implemented without big effort and would allow extensions libraries to add a whole CSP support.
The first issue doesn't even require spec changes probably, the second one would require to enhance the partial-response schema. But we could implement both issues in 2.x and just change the spec in 3.x. MF and Mojarra should just do it the same way.
Of course there are some implementation details in the CSP prototype but the above issues would be enough to implement in the JSF impls.
See: https://www.eclipse.org/lists/mojarra-dev/msg00058.html
in PrimeFaces we are currently working on a CSP prototype.
Basically PrimeFaces can do all the work, however it's currently impossible to support f:ajax.
Lets talk about a simple case:
If you open the view via the first GET or submit the form via non-ajax, everything works fine.
But if you update via AJAX e.g. a form, JSF process the update node in the partial-response - BUT - it ignores the nonce attributes on script tags.
Thats basically the same problem: Issue using JQuery 3.1.1 and CSP jquery/jquery#3541
As you may already know, PrimeFaces offers a way to execute javascript from a ManagedBean (RequestContext#execute).
This functionality is based on the eval node in the partial-response.
We could easily add a nonce support here if we would add a nonce attribute to the eval node.
Both issues can probably be implemented without big effort and would allow extensions libraries to add a whole CSP support.
The first issue doesn't even require spec changes probably, the second one would require to enhance the partial-response schema. But we could implement both issues in 2.x and just change the spec in 3.x. MF and Mojarra should just do it the same way.
Of course there are some implementation details in the CSP prototype but the above issues would be enough to implement in the JSF impls.