in PrimeFaces we are currently working on a CSP prototype.
Basically PrimeFaces can do all the work, however it's currently impossible to support f:ajax.
Lets talk about a simple case:
- add a "static" nonce header via phaselistener/servletfilter
- add a "static" nonce attribute to a script tag
1) If you open the view via the first GET or submit the form via non-ajax, everything works fine.
But if you update via AJAX e.g. a form, JSF process the update node in the partial-response - BUT - it ignores the nonce attributes on script tags.
This functionality is based on the eval node in the partial-response.