[MYFACES-4479] The jsf.js script does not read the nonce correctly in modern browsers. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.0-RC1, 2.3.10, 2.3-next-M7
Fix Version/s: 2.3-next-M8, 4.0.0-RC2, 4.0.0-RC3
Component/s: General
Labels:
None
Environment:
Myfaces 2.3-next-M7
Chrome: 106.0.5249.103

Description

In Chrome it is no longer possible to get a nonce with getAttribute("nonce").

You can only use HTMLElement.nonce (see: https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce)

Steps to reproduce:

set header Content-Security-Policy: script-src 'self' 'nonce-test123'
set <h:outputScript pt:nonce="test123" library="javax.faces" name="jsf.js" target="head"/>
set parameters org.apache.myfaces.USE_MULTIPLE_JS_FILES_FOR_JSF_UNCOMPRESSED_JS=false and javax.faces.PROJECT_STAGE=Developement
open page in browser and get multiple errors in console:

jsf.js.jsf?ln=javax.faces&stage=Development:93 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce=test123'". Either the 'unsafe-inline' keyword, a hash ('sha256-Xu6aRWi9bDVg9FaanKbn/uUSQUCsJ5g+bPB5SUYUIfk='), or a nonce ('nonce-...') is required to enable inline execution.

The reason:
The error falls on .appendChild(element) in code

var htmlScriptElement = document.head.appendChild(element);
document.head.removeChild(htmlScriptElement);

Attachments

Issue Links

links to

GitHub Pull Request #342

GitHub Pull Request #344

Activity

People

Assignee:: Werner Punz

Reporter:: Vitaly Sidorov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 13/Oct/22 11:51

Updated:: 14/Oct/22 16:40

Resolved:: 14/Oct/22 12:28