CSP support

[tandraschko]

See: https://www.eclipse.org/lists/mojarra-dev/msg00058.html

in PrimeFaces we are currently working on a CSP prototype. Basically PrimeFaces can do all the work, however it's currently impossible to support f:ajax.

Lets talk about a simple case:

• add a "static" nonce header via phaselistener/servletfilter
• add a "static" nonce attribute to a script tag

1) If you open the view via the first GET or submit the form via non-ajax, everything works fine. But if you update via AJAX e.g. a form, JSF process the update node in the partial-response - BUT - it ignores the nonce attributes on script tags. Thats basically the same problem: https://github.com/jquery/jquery/issues/3541

2) As you may already know, PrimeFaces offers a way to execute javascript from a ManagedBean (RequestContext#execute). This functionality is based on the eval node in the partial-response. We could easily add a nonce support here if we would add a nonce attribute to the eval node.

Both issues can probably be implemented without big effort and would allow extensions libraries to add a whole CSP support. The first issue doesn't even require spec changes probably, the second one would require to enhance the partial-response schema. But we could implement both issues in 2.x and just change the spec in 3.x. MF and Mojarra should just do it the same way.

Of course there are some implementation details in the CSP prototype but the above issues would be enough to implement in the JSF impls.

[github-actions[bot]]

This issue is marked as stale because there was no activity on it for the last 2 years. Remove stale label or comment or this will be closed in 30 days

[melloware]

Not stale

[tandraschko]

Also see: https://issues.apache.org/jira/projects/MYFACES/issues/MYFACES-4481

[volosied]

It would be great to see this as part of EE11. @tandraschko @arjantijms

[s2rgi0]

what should the web.xml configuration look like if you want to use nonce