CODEWITHSUNDEEP
jsfwebcontent-security-policy
t3chris
t3chris

Reputation: 1380

Java Server Faces and Content Security Policy?

I would like to use Content Security Policy for my JSF 2.1 based Web projects as I think it could improve protection against XSS attacks significantly.

Due to CSP's default behaviour to block all inline JavaScript it basically breaks JSF's 

<f:ajax execute="input" render="output" />

functionality. This is because JSF generates lots of inline JavaScript code when using the above stated construct.

Does anybody know if there is a way to use CSP in JSF based projects which make use of f:ajax without the need to allow inline JS by using the following CSP directive:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

I know that manually placing all of the JavaScript in a separate file would be possible, but doing so I would be forced to do all the Ajax stuff manually.

Upvotes: 10

Views: 5416

Answers (1)

Uux
Uux

Reputation: 1218

You could avoid using the unsafe-inline source-expression in order to whitelist inline <script>s, by utilizing nonce and/or hash instead [1]. Doing so would require:

  • Inclusion of a nonce attribute in inline <script> elements, e.g.

    <f:ajax ... pt:nonce="$placeHolder" />

    (assuming that the pt prefix has been bound to the http://xmlns.jcp.org/jsf/passthrough namespace). The attribute's value could just be a placeholder within the view file, enabling you to replace it collectively in all trusted inline <script>s later on.

  • Replacement (via a Filter, for instance) of the placeholder with a random value in each response and insertion of that value into the CSP HTTP Header and/or equivalent <meta> element, producing for example

    <script ... nonce="126cfb..."> and

    Content-Security-Policy: default-src 'self'; ... script-src 'self' 'nonce-126cfb...'.

    Theoretically, produced nonce-values should also be stored on the server, to avoid their reassignment in the near future, since they're supposed to be unique.

  • Additionally or alternatively, insertion of each trusted inline <script> contents' digest into the CSP HTTP Header and/or equivalent <meta> element, alongside its respective hash-algo, such as

    Content-Security-Policy: script-src 'sha256-126cfb...='.

    hash-values should too be regenerated while preparing each response, I guess, since <script>s are generally expected to change over time and with JSF you might not immediately notice when they do.

Upvotes: 4

Related Questions