search

primefaces / primefaces

Ultimate Component Suite for JavaServer Faces
http://www.primefaces.org
MIT License
1.79k stars 762 forks source link

FileDownload: Using AJAX with CSP enabled causes two files to download #12189

Closed melloware closed 3 months ago

melloware commented 3 months ago

Describe the bug

When using ajax="true" and primefaces.CSP enabled the file is downloaded twice.

Reproducer

pf-ajax-filedownload.zip

  1. Open the Dialog and press Download or Download AJAX.
  2. With non-ajax download it works fine.
  3. With AJAX download you will see two duplicate files download default.txt and default(1).txt.

Expected behavior

Only 1 file downloaded.

PrimeFaces edition

Community

PrimeFaces version

14.0.1

Theme

No response

JSF implementation

Mojarra

JSF version

2.3

Java version

11

Browser(s)

No response

melloware commented 3 months ago

OK debugging this it looks like the CSP writer is repsonding with two changes in the response.

Mojarra

<?xml version='1.0' encoding='utf-8'?>
<partial-response>
    <changes>
        <update id="j_id1:javax.faces.ViewState:0"><![CDATA[-3062967971984750337:-4716082205787380923]]></update>
        <eval><![CDATA[if(window.PrimeFaces){PrimeFaces.csp.init('MTEzNjU3NDQtYWZiNy00NTYzLWEzMzgtOTFkOTJjZDgyNjBi');};;PrimeFaces.download('/javax.faces.resource/dynamiccontent.properties.xhtml?ln=primefaces&v=15.0.0-SNAPSHOT&pfdrid=c07524ce314cee24b9418afbab32a60f&pfdrt=sc&pfdrid_c=false&uid=fe1f9aaf-4787-4764-8710-49594f5ca3a1', 'text/plain', 'default.txt', 'primefaces.download_test');]]></eval>
    </changes>
    <changes>
        <eval><![CDATA[if(window.PrimeFaces){PrimeFaces.csp.init('MTEzNjU3NDQtYWZiNy00NTYzLWEzMzgtOTFkOTJjZDgyNjBi');};;PrimeFaces.download('/javax.faces.resource/dynamiccontent.properties.xhtml?ln=primefaces&v=15.0.0-SNAPSHOT&pfdrid=c07524ce314cee24b9418afbab32a60f&pfdrt=sc&pfdrid_c=false&uid=fe1f9aaf-4787-4764-8710-49594f5ca3a1', 'text/plain', 'default.txt', 'primefaces.download_test');]]></eval>
    </changes>
</partial-response>

MyFaces

<?xml version="1.0" encoding="UTF-8"?>
<partial-response id="j_id__v_0">
    <changes>
        <update id="javax.faces.Resource"><![CDATA[]]></update>
        <update id="j_id__v_0:javax.faces.ViewState:1"><![CDATA[NkI5MUU3REJGMDVENTc5ODAwMDAwMDAx]]></update>
        <eval><![CDATA[if(window.PrimeFaces){PrimeFaces.csp.init('NWEzYjZiNzctNTZjNS00ZjYwLWIwODAtNjI0OWZlYzhmY2U3');};;PrimeFaces.download('/javax.faces.resource/dynamiccontent.properties.xhtml?ln=primefaces&v=15.0.0-SNAPSHOT&pfdrid=c07524ce314cee24b9418afbab32a60f&pfdrt=sc&pfdrid_c=false&uid=f4e651f5-47e0-476d-9888-db3281211f9a', 'text/plain', 'default.txt', 'primefaces.download_test');]]></eval>
    </changes>
</partial-response>
melloware commented 3 months ago

OK updated it works properly in MyFaces it fails in Mojarra 2.3.21.

melloware commented 3 months ago

I opened a Mojarra ticket: https://github.com/eclipse-ee4j/mojarra/issues/5456

melloware commented 3 months ago

OK the real bug was here.

writer = new CspPartialResponseWriter(writer, context, PrimeFacesContext.getCspState(context));

to

writer = new CspPartialResponseWriter(parentWriter, context, PrimeFacesContext.getCspState(context));

Passing in the original writer and not the already wrapped Partial Writer.