[mojarra-dev] CSP: support basic CSP/nonce in the AJAX API

[Thomas Andraschko <andraschko.thomas@xxxxxxxxx>]

Hi,

in PrimeFaces we are currently working on a CSP prototype.

Basically PrimeFaces can do all the work, however it's currently impossible to support f:ajax.

Lets talk about a simple case:

- add a "static" nonce header via phaselistener/servletfilter

- add a "static" nonce attribute to a script tag

1) If you open the view via the first GET or submit the form via non-ajax, everything works fine.

But if you update via AJAX e.g. a form, JSF process the update node in the partial-response - BUT - it ignores the nonce attributes on script tags.

Thats basically the same problem: https://github.com/jquery/jquery/issues/3541

2) As you may already know, PrimeFaces offers a way to execute _javascript_ from a ManagedBean (RequestContext#execute).

This functionality is based on the eval node in the partial-response.

We could easily add a nonce support here if we would add a nonce attribute to the eval node.

Both issues can probably be implemented without big effort and would allow extensions libraries to add a whole CSP support.

The first issue doesn't even require spec changes probably, the second one would require to enhance the partial-response schema. But we could implement both issues in 2.x and just change the spec in 3.x. MF and Mojarra should just do it the same way.

Of course there are some implementation details in the CSP prototype but the above issues would be enough to implement in the JSF impls.

WDYT?

Best regards,

Thomas