Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mojarra-dev] h:commandLink and CSP
Hi,

Good point. It's about time. Here's the associated Faces spec issue: https://github.com/jakartaee/faces/issues/1590

As first step I've converted all Mojarra-generated inline event handlers to attached event handlers: https://github.com/eclipse-ee4j/mojarra/pull/5601

There's still work to do but at least the spec issue is already there.

Cheers, B

On Fri, Aug 8, 2025 at 11:19 AM Jason Lee via mojarra-dev <mojarra-dev@xxxxxxxxxxx> wrote:

We have a user reporting issues with h:commandLink and CSP:

Especially the call
var f = new Function("event", arguments[i]);
that dynamically creates js function which requires unsafe-eval. This breaks the content security policy.

The commandLink could be as simply as :

<h:commandLink action="" value="Click Me"/>

Specifically, the error given is "Content-Security-Policy: The page’s settings blocked a _javascript_ eval (script-src) from being executed because it violates the following directive: “script-src 'self' "

In looking at the issue, I found this MyFaces issue: https://issues.apache.org/jira/browse/MYFACES-4481

The comments on the issue suggest that a spec change might have been necessary to fix this issue, but I can't see where or if anything was done on this. 

The user is reporting this against 4.0.8. Is there a known work-around or fix we can suggest for the user?

-- 
Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee
_______________________________________________
mojarra-dev mailing list
mojarra-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mojarra-dev

Back to the top