mittal
Reputation: 335
content-security-policy header for a jsf, primefaces application
As JSF and Primefaces components result in inline scripts, it is difficult to configure the CSP header in its best configuration.
As JSF by design provides XSS protection, is it okay to not use CSP at all or what shall be the best CSP value for a JSF+Primefaces application?
Also, there is not much discussion/sample-code available on the topic on Internet [1][2]. Aren't JSF and Primefaces planning to provide easier implementation of CSP, as it is 'defense-in-depth', highly recommended header?
Upvotes: 4
Views: 3735
Answers (1)
Adane kasie
Reputation: 71
To enable it you may add the following context parameter to your web.xml:
<context-param>
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
Upvotes: 3
Related Questions
- Login.xhtml submit provokes Content Security Policy javax.facse.FacesException: Missing CSP nonce
- Refuse to execute inline script because violates Content Security Policy (primefaces 8)
- How to use j_security_check jsf
- Spring Security + JSF 2.0 + Primefaces + Hibernate configuration
- Java Server Faces and Content Security Policy?
- Spring Security 4 and PrimeFaces 5 AJAX request handling
- j_security_check with Primefaces
- Authorization in JSF2 components
- Dirty Checks: JSF + Primefaces application?
- can't load jsf.page when integrated with primefaces