Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mojarra-dev] h:commandLink and CSP
  • From: Jason Lee <jason@xxxxxxxxxxxxxxx>
  • Date: Fri, 8 Aug 2025 09:42:52 -0500
  • Arc-authentication-results: i=1; rspamd-698857ffff-9d5gw; auth=pass smtp.auth=dreamhost smtp.mailfrom=jason@xxxxxxxxxxxxxxx
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1754664173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature:autocrypt:autocrypt; bh=XVG35ZbHK1br609YiMMFwM0g2CMydkCyn6ISVzY5V60=; b=OOTaEvYPefXuGhYPI3gtcs8y02hTZxMekySfLHGoWlt7qEsL4J+416Omo6m2H03u/tmHVk +N0I5IcSIfiOUES7k09AAeFh7SNtPGaGIwOe3RDRlEzJMJBx8chZr418wawnqnIwFXhzlj tSFopyFUl6VdpqO2Rf1293Ufk/Oa6DRHD+QSSxBnRvIbZ+Fepvq2RFFbj8MZDs/HKumGBn zhnZe6yaZfyPybjWNWuzMhQ0sjnyfvlUp2eLHt7CJPcNwOq58Msm7o3kMdJCBDKn8PwNn/ BRVOyGbOrAAyqxQM+oJCgi9NtiGBcbRlgdwySmX9o/v3wva4jvefTTgTBohBNw==
  • Arc-seal: i=1; s=arc-2022; d=mailchannels.net; t=1754664173; a=rsa-sha256; cv=none; b=tuoNtsec+q3ffFaNGWvi9a4bZ7PN/7vw4mca41yeSieXCiMqrj8ALVUarFNNsBR8D3rPhH qE6+jXVzaZaMiwbUwYCk9GMWDngqpG3BuwcO2W0DR4ULioZgsN0TyFPnIJrcKKLY9IhAMt MOjuL4vPhBrM3rb01lsdUwAmq4G56BCgVqgThRD1JQwZGvaxijNQKe63UatZZG47x9DnjK oM5XGgz5N8yopExUZq6RVnoYgYVBz0uxDOc2eproke0OYRuaOqba+2rTwMTrzxvmmcTqZE fPPGO3hKiOoHsksnsSs0Ld8TGSdrJOvTJAnuPtYNOWjXSBXl6GXKBsDE2VY0jA==
  • Autocrypt: addr=jason@xxxxxxxxxxxxxxx; keydata= xsFNBGAv9PIBEADdXJVd0buKly07rjhv2G1u31cSgpHSKSpsJLiBcwGGQNSBdLjlJjpVkfAv moDW/vmQzZH9eFB+4X1vYrwTV1XxTnsI4/5n6+xvlwuIeib/0ZNqB5JOPQWMGCiJyW5NeOEo hNNpaDUuMKE7AEV9TydE4Po8fFto6q/Os/fsgbL3rDLHj88KVCOj6Ug+bsnDVMAW8ZVYHLIO xVSsNySHUXTJlIavp2s/BUBDf+i+Gy+mnmoB+lsgjc4OlVIY1aO1PgKEwLEnwQfiDNq1ha0m 4tnisY+zy/PaXsSAQ1mzyFUVpgcO82A+hc8+on3QGi68JQ5m2/kFBA5JHYuO6EO0k182fzTD QSa5kgeMfuQxHWg7Z6hWpCYq1654I+P3DCNtEjzhKoWDZoUDWcaoYeyzXgbNEqLktyocTE2F dse9t0aUoV7XajuLLenFLeuAFP+G0ojL1R2YM7jsIvUfGdbpjrWFPhFqXSiVq3hU1lUxDlgN vblW/XIpRNQrxKol8XWFmjgZAteeif9WXlXz91ou49bfghTibmXxXT1AIuJpnwKk52+oSTuG oEyOZfm4W9t209t/j/bjhlSkV3tl84fr8Wq7PbauOXfq41tmApahVrDw5MDLkIYODcoKafH9 HTrw1AZyCjikX2TZr+bpptTzckZKjbOqtd3InWtsofEn06wDPQARAQABzSFKYXNvbiBMZWUg PGphc29uQHN0ZWVwbGVzb2Z0LmNvbT7CwY4EEwEIADgWIQSbU+1dJEEFmxZGEi4fVqJ3Ppv+ 4QUCYC/08gIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAfVqJ3Ppv+4WcfD/9MOPEu W/o17SBaqrQbBstn3o4iivkKrJ4bkKGNoT2oqCJB778ZzkJ64ClIOKf46VchH3Q+z7r4p/vj VDHQlpGrhzEOQssKewyVSEaMYt0Wkopg5AH53TL/bXPoDawzSG3Jft0KtX6Mo+tBA/A3CR3s k5Sz93Cwh2sWKkUUcrKy7M+gM/yFJxL96zC6gADvFUl7og4AyKuo2qwu1KiAnCnu60THYOLD Tx45k/YN4H81gIsBYDgVPIx6q9nPqZmSqikgVoQ3MuP0faOLdRzsjwPAHRR9kHmY6dNcn2HP yQEgTSWAYM944TlGGq0M5qt8bm14SfisO8wWW7JDK5KtVCVrwBXILLJoJ5U47DjfJ0aQMp+7 aZfntmOrfgFQwNcAgE2GS2gjVraqg4FF4wDRwRpKkaCzf4D4tSaKhNm0PTBqQrLe+lbiFtk/ RQK47mfeJXHihuSctwg1FRK4377dcmCD0NUyjccaLMwuu6GFN1FdD8oO492NudRWEJFd3uBx fRZ/197ZrlHQmdzScA5CFSZV3rvuz7017/Yvk76dMAbuLoUZ9i84C8WX+gVInF5gi0afSyrV NxNdplEdwviXflL2YN0XP/1zmVOYDE6ViTLFa4fHaxqNyGVhxx4lJ7HNQMqcmOmhQdHohlvV 4DREcOUD3a1v0hTf9aMEXncRxc0Uis7BTQRgL/TyARAA0HX/waTgClGQxK5JpX1p6QnudaM+ /X9R7vyHVa3F+A5IwGwIqpEDeABp0Fa/mCFUd1Xf1Ve8HZsvN8nk/Opq8I/wjThOPb0LvRJ3 mWvM8GeZRob7v2AJwqhYBAmQSHcZ8YDys5NiD6tlqZFCcO/NPr/gnShP8gsvmnuzZoa4WYqH 7Y2TBw/89KLZBc7/8d24MjajPtaQqt05tkwcontO/2L1WX9JIFiJuI30x/2/4OTCztP2gJuV +z2DeDZPXi4smNa4mJUo/ojthNKd8rTaNeoyjoomBQD49ETIUXSHLpjuD6aSIR+5JpVw3i7F CBUhVHIPdClrkQ9IrQ/Kv0bkk7Y0EDiCxYcqJYxbvlPso+vq0HVhNGpXt/VPMX8IsIz+BdFA /q831aIWuqLRivD6dMKgjAxWUvTMjG/yxNIUFaFiaISbHFMY4/Q6Ki3c57GUklSORWb4TWPQ LqSfV2HosWdMhR6Gwf+5b1C3EaYz1+t0Zfs2EbqZF2GpRBFhFe84tzPufQEF7xzJWTVtwCHO bUxn3yp1eFoI5dtwEnmvVsdzNv9UieUKkqPal/f/EFTLXvHaCCabfw8A7kcKQoQDPj0JlBpQ XZKfjG3JL6MWscg4oviC+PA8PC+dbcPOa7fUnPYMfJJfPfRLuRje+lVb/dbhBZE+DX3Jt2QQ sVsbxIMAEQEAAcLBdgQYAQgAIBYhBJtT7V0kQQWbFkYSLh9Wonc+m/7hBQJgL/TyAhsMAAoJ EB9Wonc+m/7hLaQQAKz30kA7/rdi1T2m3PaLEMlmCM4vEmOBgyWRSkKP4X6JUBK1tDyUE3vh /OB8zhLyJfUKdIZdDXFKSieXEWcmb+u4fnJYHPVdbECyBrAqWFvIGcUctjIEOtL0hamyRU4a C4G2LWEfIIclnh509y4c3xOqxQcDzff5yS7AJr5YxrTO0IPb3KMNT+hSJ4oNQNfVNzR0dbdT du6pGtrRzZy7adIIP+XmtcKZC4Bq9oYyUdpo6AT/bNZhIrUsIab3138ta4O6OMg5nNkf7gAk 98fQ45534tijQ4nAYkdfTRMlSezi7qXTxykdm1RLjdFSAVe207Z8ElDQ+pcsOYN3o1BZyg+V WMw/iBjcaAxabTp4uvR6j8LlN090c67nS/iJQB4hUw8SJ6Q/L8SUlmZ2sZt7d+M6dHf5VSn1 1OT2H+xB8n1V+pR1xCFYFk+xdfK6TYTu4ZhKjBIrju0J8IEd/HEhBix/2jpQsNpwCxg0ekO4 aOpGA2+ZOoTFsGFz2pbY3gX7b4mKAiCC6JWLjdietAMyVGgQ7Dwh9FaJCz+dVW9JamWU0DXl 9nSLmAi7hHdfqXeLVyuoQB7dUa7U5BYkrEDlz9ofdv6lr17SLODTIWyPmlgfKlpB0L6pBJVW wZreBUujJSJVBZDSQIrUbjAUCYQBT9flcalp+oWliowhHgIq6oYh
  • Delivered-to: mojarra-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/mojarra-dev/>
  • List-help: <mailto:mojarra-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/mojarra-dev>, <mailto:mojarra-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/mojarra-dev>, <mailto:mojarra-dev-request@eclipse.org?subject=unsubscribe>
  • User-agent: Mozilla Thunderbird

We have a user reporting issues with h:commandLink and CSP:

Especially the call
var f = new Function("event", arguments[i]);
that dynamically creates js function which requires unsafe-eval. This breaks the content security policy.

The commandLink could be as simply as :

<h:commandLink action="" value="Click Me"/>

Specifically, the error given is "Content-Security-Policy: The page’s settings blocked a _javascript_ eval (script-src) from being executed because it violates the following directive: “script-src 'self' "

In looking at the issue, I found this MyFaces issue: https://issues.apache.org/jira/browse/MYFACES-4481

The comments on the issue suggest that a spec change might have been necessary to fix this issue, but I can't see where or if anything was done on this. 

The user is reporting this against 4.0.8. Is there a known work-around or fix we can suggest for the user?

-- 
Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee

Attachment: OpenPGP_0x1F56A2773E9BFEE1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


Back to the top