CODEWITHSUNDEEP
webjsfprimefacescontent-security-policy
Joe
Joe

Reputation: 7919

Refuse to execute inline script because violates Content Security Policy (primefaces 8)

Enviroment:

I am trying to update a combobox with an ajax render event and the web does not update the combobox and I get this error. How could I solve this?

ERROR js console

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-ZGRkM2ZjYTAtNzE3MC00MmU4LWE4YmMtOWNmYjUyNjYyMTNh'". Either the 'unsafe-inline' keyword, a hash ('sha256-PoJBY0XvVwb+v60hF7CQr9zfBAfr3HAsK3P9TEKUqGs='), or a nonce ('nonce-...') is required to enable inline execution.
runScript   @   jsf.js.xhtml?ln=javax.faces:1
runScripts  @   jsf.js.xhtml?ln=javax.faces:1
doUpdate    @   jsf.js.xhtml?ln=javax.faces:1
response    @   jsf.js.xhtml?ln=javax.faces:1
onComplete  @   jsf.js.xhtml?ln=javax.faces:1
AjaxEngine.req.xmlReq.onreadystatechange    @   jsf.js.xhtml?ln=javax.faces:1

web.xml

...
<!--Primefaces Content Security Policy-->
<context-param>
    <param-name>primefaces.CSP</param-name>
    <param-value>true</param-value>
</context-param>
...

face.xhtml

...
    <p:selectOneMenu id="cbxOrganisme" value="#{userBean.selected.organism}"
                     valueChangeListener="#{userBean.onChangeOrganism}"
                     converter="vTableConverter" filter="true"
                     rendered="true" required="true" style="width: 90%;">
        <f:ajax event="change" execute="@this" listener="#{userBean.onChangeOrganism}" render="cbxCenter"/>
        <f:selectItem itemLabel="#{messages['seleccionar']}" itemValue="" noSelectionOption="true"/>
        <f:selectItems value="#{userBean.organisms}" var="organism"
                       itemLabel="#{sessionBean.localeCode eq 'ca'? organism.nomCA:organism.nomES}"
                       itemValue="#{organism}"/>
    </p:selectOneMenu>
...

web.html

<html><head id="j_idt2">
        <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9">
        <meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8">
        <meta http-equiv="Cache-Control" content="no-cache">
        <meta http-equiv="Pragma" content="no-cache">
        <title>Govern de les Illes Balears - APP
        </title><link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/theme.css.xhtml?ln=primefaces-bootstrap">
        <link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/fa/font-awesome.css.xhtml?ln=primefaces&amp;v=8.0">
        <link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/govern-ie.css.xhtml?ln=css">
        <link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/buttons.css.xhtml?ln=css">
        <link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/components.css.xhtml?ln=primefaces&amp;v=8.0">
        <script type="text/javascript" src="/APP2/javax.faces.resource/jquery/jquery.js.xhtml?ln=primefaces&amp;v=8.0" nonce="">
        </script><script type="text/javascript" src="/APP2/javax.faces.resource/jquery/jquery-plugins.js.xhtml?ln=primefaces&amp;v=8.0" nonce="">
        </script><script type="text/javascript" src="/APP2/javax.faces.resource/core.js.xhtml?ln=primefaces&amp;v=8.0" nonce=""></script>
        <script type="text/javascript" src="/APP2/javax.faces.resource/components.js.xhtml?ln=primefaces&amp;v=8.0" nonce=""></script>
        <script type="text/javascript" src="/APP2/javax.faces.resource/idlemonitor/idlemonitor.js.xhtml?ln=primefaces&amp;v=8.0" nonce=""></script>
        <script type="text/javascript" src="/APP2/javax.faces.resource/touch/touchswipe.js.xhtml?ln=primefaces&amp;v=8.0" nonce=""></script>
        <link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/fileupload/fileupload.css.xhtml?ln=primefaces&amp;v=8.0">
        <script type="text/javascript" src="/APP2/javax.faces.resource/fileupload/fileupload.js.xhtml?ln=primefaces&amp;v=8.0" nonce=""></script>
        <script type="text/javascript" src="/APP2/javax.faces.resource/jsf.js.xhtml?ln=javax.faces" nonce=""></script>
        <script type="text/javascript" nonce="">if(window.PrimeFaces){PrimeFaces.settings.locale='ca';}</script><script type="text/javascript" nonce="">$(function(){PrimeFaces.csp.init('ZTFhYjQ3MDItYzM5Yy00MGU5LWE2NDEtZDFjMTExNDEzMWU4');;});</script>
    
    <script async="async" src="https://www.googletagmanager.com/gtag/js?id=UA-133688930-1" nonce=""></script>
    <script nonce="">
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('js', new Date());

        gtag('config', 'UA-133688930-1');

        function redirectPrincipal() {
            let context = "APP/";
            let mainPage = "principal.xhtml";
            let url = window.location.href;

            if (url.endsWith(context)) {
                window.location.replace(url + "principal.xhtml");
            }
        }

        redirectPrincipal();
    </script>
    <link rel="SHORTCUT ICON" href="http://www.name.es/webname/favicon.ico"><script type="text/javascript" src="/APP2/javax.faces.resource/calendar-localization.js.xhtml?ln=js" nonce=""></script>
    <script type="text/javascript" src="/APP2/javax.faces.resource/functions.js.xhtml?ln=js" nonce=""></script>
    <meta name="description" content="APP. Versió: 8.0.0-">
    <meta name="author" content="Govern de les Illes Balears"></head>
<body>
...
</body>
</html>

Upvotes: 2

Views: 1732

Answers (1)

Joe
Joe

Reputation: 7919

Content Security Policy known limitations

Currently CSP in combination with <f:ajax> cannot be used with all Faces implementations / versions.

MyFaces supports it since 2.3-next (which will be 4.0 in the future), Mojarra doesn't support it in general: https://github.com/eclipse-ee4j/mojarra/issues/4542

As workaround, you can always use <p:ajax> instead.

Upvotes: 1

Related Questions