| Re: [mojarra-dev] More CSP-related TCK Failures |
_______________________________________________As $SUBJECT states, we’re seeing more CSP-related failures in the 4.0 TCK that I’d like to discuss. Before getting into details, I’m a bit confused as to how the TCK passes on GF, but seems to be failing when we run against WildFly, and users see similar failures in the wild. Should someone have insight there, I’d much appreciate it. :)As far as these specific failures are concerned, we’re seeing these in the Faces 2.3 “exact mapping” tests (https://github.com/jakartaee/faces/blob/4.0.x/tck/faces23/exactMapping/src/test/java/ee/jakarta/tck/faces/test/servlet40/exactmapping/Spec1260IT.java) Specifically, we’re seeing this:[ERROR] Errors:[ERROR] Spec1260IT.testAjaxFromExactMappedView:177 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)[ERROR] Spec1260IT.testExactMappedViewLoads:76 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)[ERROR] Spec1260IT.testLinkToNonExactMappedView:111 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)[ERROR] Spec1260IT.testPostBackOnLinkedNonExactMappedView:139 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)[ERROR] Spec1260IT.testPostBackToExactMappedView:91 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)[ERROR] Spec1260IT.testResourceReferenceFromExactMappedView:160 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)[ERROR] Tests run: 12, Failures: 0, Errors: 6, Skipped: 6The mojarra.ael references should not be rendered, given the back ports made.I’ve traced the execution in my IDE, and I think I’ve found the issue in OutcomeTargetButtonRenderer.encodEnd():if (!Util.componentIsDisabled(component)) {NavigationCase navCase = getNavigationCase(context, component);if (navCase != null) {String hrefVal = getEncodedTargetURL(context, component, navCase);hrefVal += getFragment(component);RenderKitUtils.addEventListener(context, component, null,"click", getOnclick(component, hrefVal));}}In the bolded line, the <script> tag is always rendered unlike in, say, ButtonRenderer, we see code like this:if (ResourceHandlerImpl.resolveCurrentNonce(context) != null) {RenderKitUtils.renderOnclickEventListener(context, component, params, null, false);}I’m going to experiment here with a conditional rendering, as that seems like the right thing to do, but I’m hopeful for some (early?) feedback. In PR 5727 (https://github.com/eclipse-ee4j/mojarra/pull/5727), the inline JS behavior is restored (though only in some components?), and I backported to 4.0 (https://github.com/eclipse-ee4j/mojarra/pull/5732).In theory, then, the fix should be in and the TCK should be happy, but clearly something’s awry. Is the non-CSP JS fix insufficient, or is there something else at play WRT TCK runs? Do we know, e.g., if other containers (Weblogic, etc) passing the TCK with 4.0.18? I’m happy to concede that there’s an issue on the WildFly side if that’s the case, but I’m not seeing how that might be. I’m hoping someone can help me get to the bottom of this...Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee
mojarra-dev mailing list
mojarra-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mojarra-dev