[
https://issues.apache.org/jira/browse/MYFACES-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16893425#comment-16893425
]
Werner Punz edited comment on MYFACES-4280 at 7/26/19 7:53 AM:
---------------------------------------------------------------
Yes and there is nothing I can do on the javascript side about it.
The problem there is the *onclick="jsf.util.chain(this,event
'jsf.ajax.request...)* call
When this was written there was no csp, and it was valid javascript, however
CSP does not allow such a construct anymore unless you ease the restrictions.
However this is relaxed per default on chrome while Firefox has the stricter
default security in this case. (and is probably the reason why sites sometimes
have non working submit buttons on fox)
The proper csp way would be following
<{color:#000080}input {color}{color:#0000ff}type{color}{color:#008000}="button"
{color}{color:#0000ff}id{color}{color:#008000}="chaincall"
{color}{color:#0000ff}value{color}{color:#008000}="press for chaintest"{color}/>
<{color:#000080}script
{color}{color:#0000ff}type{color}{color:#008000}="text/javascript"
{color}{color:#0000ff}nonce{color}{color:#008000}="booga"{color}>
{color:#660e7a}document{color}.{color:#7a7a43}getElementById{color}({color:#008000}"chaincall"{color}).{color:#660e7a}onclick
{color}= {color:#000080}function{color}(event) {
var _t = this;
{color:#660e7a}jsf{color}.{color:#660e7a}util{color}.chain({color:#000080}this{color},
event, function() { {color:#008000}javax.ajax.request(_t, event...) }{color});
{color:#000080}return false{color};
}
Note not even in the nonce marked block a call to *jsf.util.chain(.. , 'script
to be evaled').*.. is possible anymore.
The reason lies within the nature of how the eval is possible.
An normal eval is with CSP not possible anymore, the head appendix method
literally everyone uses is still possible.
The problem with the head appendix method is, it is by nature asynchronous to
the javascript execution. While this poses normally no problem for chain it
does.
Chain requires a true or false return value for a single script. Now if a true
is returned the chain is properly executed with the next function/eval part. In
case of false it is not possible anymore and terminated prematurely. This is by
spec.
Now if we use the head appendix method this is done asynchronously and an
onDomReady handler should be used to go to the next step.
A proper solution would be to replace the true false return on the spec side
with promises, but for IE11 support we need a shim, since promises are not
supported natively by that browser. And also the spec needs to be reworked in
this area for proper csp support.
However what can we do now?
We probably have to replace our inline onclick handler with a nonced emvedded
javascript and apply the pattern I am proposing here.
I checked the specs, I could not find anything which points towards an
implementation with an onclick handler for the ajax behavior, but I might have
missed something.
If there is a spec enforcement it would be wise simply to add a csp context
param and adjust the f:ajax accordingly.
So thats all I can do for the moment. Someone else might have to pick up the
f:ajax side.
was (Author: werpu):
Yes and there is nothing I can do on the javascript side about it.
The problem there is the *onclick="jsf.util.chain(this,event
'jsf.ajax.request...)* call
When this was written there was no csp, and it was valid javascript the spec
also states clearly that, however CSP does not allow such a construct unless
you ease the restrictions.
However this is relaxed per default on chrome while Firefox has the stricter
default security in this case. (and is probably the reason why sites sometimes
have non working submit buttons on fox)
The proper csp way would be following
<{color:#000080}input {color}{color:#0000ff}type{color}{color:#008000}="button"
{color}{color:#0000ff}id{color}{color:#008000}="chaincall"
{color}{color:#0000ff}value{color}{color:#008000}="press for chaintest"{color}/>
<{color:#000080}script
{color}{color:#0000ff}type{color}{color:#008000}="text/javascript"
{color}{color:#0000ff}nonce{color}{color:#008000}="booga"{color}>
{color:#660e7a}document{color}.{color:#7a7a43}getElementById{color}({color:#008000}"chaincall"{color}).{color:#660e7a}onclick
{color}= {color:#000080}function{color}(event) {
var _t = this;
{color:#660e7a}jsf{color}.{color:#660e7a}util{color}.chain({color:#000080}this{color},
event, function() { {color:#008000}javax.ajax.request(_t, event...) }{color});
{color:#000080}return false{color};
}
Note not even in the nonce marked block a call to *jsf.util.chain(.. , 'script
to be evaled').*.. is possible anymore.
The reason lies within the nature of how the eval is possible.
An normal eval is with CSP not possible anymore, the head appendix method
literally everyone uses is still possible.
The problem with the head appendix method is, it is by nature asynchronous to
the javascript execution. While this poses normally no problem for chain it
does.
Chain requires a true or false return value for a single script. Now if a true
is returned the chain is properly executed with the next function/eval part. In
case of false it is not possible anymore and terminated prematurely. This is by
spec.
Now if we use the head appendix method this is done asynchronously and an
onDomReady handler should be used to go to the next step.
A proper solution would be to replace the true false return on the spec side
with promises, but for IE11 support we need a shim, since promises are not
supported natively by that browser. And also the spec needs to be reworked in
this area for proper csp support.
However what can we do now?
We probably have to replace our inline onclick handler with a nonced emvedded
javascript and apply the pattern I am proposing here.
I checked the specs, I could not find anything which points towards an
implementation with an onclick handler for the ajax behavior, but I might have
missed something.
If there is a spec enforcement it would be wise simply to add a csp context
param and adjust the f:ajax accordingly.
So thats all I can do for the moment. Someone else might have to pick up the
f:ajax side.
> CSP: nonce attribute on script tags will be ignored on ajax updates
> -------------------------------------------------------------------
>
> Key: MYFACES-4280
> URL: https://issues.apache.org/jira/browse/MYFACES-4280
> Project: MyFaces Core
> Issue Type: New Feature
> Reporter: Thomas Andraschko
> Assignee: Werner Punz
> Priority: Major
>
> simple CSP case:
> - add a static nonce via phaselistener/servlerfilter in the headers
> - add the the static nonce to a script tag
> this works fine for a GET request or non-ajax POST but our ajax engine just
> ignores the nonce attribute on scripts and following error occurs in the
> browser:
> Content Security Policy: Die Einstellungen der Seite haben das Laden einer
> Ressource auf inline blockiert ("script-src").
> There will probably other tickets in the future but thats the first basic
> case which must be supported.
> There are of course other problems like onclick handlers in the DOM or the
> eval node in the partial-response.
> Similar to: https://github.com/jquery/jquery/issues/3541
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
