Re: [mojarra-dev] More CSP-related TCK Failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mojarra-dev] More CSP-related TCK Failures

From: Jason Lee <jason@xxxxxxxxxxxxxxx>
Date: Wed, 20 May 2026 09:37:45 -0500
Arc-authentication-results: i=1; rspamd-6cd998c8-6wfxc; auth=pass smtp.auth=dreamhost smtp.mailfrom=jason@xxxxxxxxxxxxxxx
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1779287878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=h9FxY8JaJKrsBwxOmyn90FVrOoMxkkmWtV2K8WMhMxM=; b=Ke1vHVISFfYY8vW2oACzh948M3aMVkdHtr4V0eSEQh2kyDOpUUqYt/f2gJKGUs96v/Uo47 SQxYWMT0RICjZfRwrSXbP5lKlNsiWJ3Q6slcm6af5dSQJGqx8jytbMMTtAwJgjXTNVrQ1G X6uRx9K0F36uiqZKftlrMGVvZXfc3ToqhTssEeiyk2y0ii4uHBlrdn6zKvw7gt0D4eZrNA 9OR6fz7IejOspYAOvm20GbomqCKPL+c5tVxMim4UHBYXsg48RbUEezWcQ0cv8FPDy51x6g Psqo06J+sjhoyasLmbblvhEcAbGQLKlptnSB9TI0qgC90vfxoTGotR/22HoHBQ==
Arc-seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1779287878; b=uGVKES/s4jFTzmjlVo3lghsgfDfSmeuUf9K7n8IZeYaWX2t1kN0D0KcjcgeS1g+Z7TZWJA Ewr1qV6FtxVqWxPkrlkSR5ms/8vM4+pDtVfsqEH9qg+xzJ7PJYd3KZ1lIL61u6GAiBWCw1 +Kana9wEoQZ9LAwdr2jR7scEXKHsablb1KIpUNX7xawdQGw7NWbBYyq5gfPsIOfw9i/43F 6d3dbKDOL7V+XoCWH1tl/Vx9f9eraWXmPIQd0yo9inc+GKCFWnw+/P2VEkbnc/e6D05+HO +NkJkDFSyn+sW66ZyGrOUq9oRzxOh5kLckEJI6cF82TpJpLPHIG3HupuxIWn8Q==
Delivered-to: mojarra-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mojarra-dev/>
List-help: <mailto:mojarra-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mojarra-dev>, <mailto:mojarra-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mojarra-dev>, <mailto:mojarra-dev-request@eclipse.org?subject=unsubscribe>

I’m not exactly sure how that could but, regardless, in this case the reference to it should not have been rendered at all, since CSP was enabled. I have a fix for that under development (changes to OutcomeTargetButtonRenderer), but I’m still not sure how the TCK passes in some scenarios but not others. That bothers me. :)

On May 20, 2026, at 5:14 AM, Bauke Scholtz <balusc@xxxxxxxxx> wrote:

Hi,

The error wording "Cannot find function ael in object [object Object]" means that it found window.mojarra object but not mojarra.ael function.

This can only mean that an older version of faces.js was served somehow.

Cheers, B

On Tue, May 19, 2026 at 12:48 PM Jason Lee via mojarra-dev <mojarra-dev@xxxxxxxxxxx> wrote:
As $SUBJECT states, we’re seeing more CSP-related failures in the 4.0 TCK that I’d like to discuss. Before getting into details, I’m a bit confused as to how the TCK passes on GF, but seems to be failing when we run against WildFly, and users see similar failures in the wild. Should someone have insight there, I’d much appreciate it. :)

As far as these specific failures are concerned, we’re seeing these in the Faces 2.3 “exact mapping” tests (https://github.com/jakartaee/faces/blob/4.0.x/tck/faces23/exactMapping/src/test/java/ee/jakarta/tck/faces/test/servlet40/exactmapping/Spec1260IT.java) Specifically, we’re seeing this:

[ERROR] Errors:
[ERROR] Spec1260IT.testAjaxFromExactMappedView:177 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)
[ERROR] Spec1260IT.testExactMappedViewLoads:76 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)
[ERROR] Spec1260IT.testLinkToNonExactMappedView:111 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)
[ERROR] Spec1260IT.testPostBackOnLinkedNonExactMappedView:139 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)
[ERROR] Spec1260IT.testPostBackToExactMappedView:91 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)
[ERROR] Spec1260IT.testResourceReferenceFromExactMappedView:160 » Script TypeError: Cannot find function ael in object [object Object]. (script in http://127.0.0.1:8080/test-faces23-exactmapping/foo from (29, 189) to (29, 322)#29)
[ERROR] Tests run: 12, Failures: 0, Errors: 6, Skipped: 6

The mojarra.ael references should not be rendered, given the back ports made.

I’ve traced the execution in my IDE, and I think I’ve found the issue in OutcomeTargetButtonRenderer.encodEnd():

if (!Util.componentIsDisabled(component)) {
NavigationCase navCase = getNavigationCase(context, component);

if (navCase != null) {
String hrefVal = getEncodedTargetURL(context, component, navCase);
hrefVal += getFragment(component);
RenderKitUtils.addEventListener(context, component, null,"click", getOnclick(component, hrefVal));
}
}

In the bolded line, the <script> tag is always rendered unlike in, say, ButtonRenderer, we see code like this:

if (ResourceHandlerImpl.resolveCurrentNonce(context) != null) {
RenderKitUtils.renderOnclickEventListener(context, component, params, null, false);
}

I’m going to experiment here with a conditional rendering, as that seems like the right thing to do, but I’m hopeful for some (early?) feedback. In PR 5727 (https://github.com/eclipse-ee4j/mojarra/pull/5727), the inline JS behavior is restored (though only in some components?), and I backported to 4.0 (https://github.com/eclipse-ee4j/mojarra/pull/5732).

In theory, then, the fix should be in and the TCK should be happy, but clearly something’s awry. Is the non-CSP JS fix insufficient, or is there something else at play WRT TCK runs? Do we know, e.g., if other containers (Weblogic, etc) passing the TCK with 4.0.18? I’m happy to concede that there’s an issue on the WildFly side if that’s the case, but I’m not seeing how that might be. I’m hoping someone can help me get to the bottom of this...

Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee

_______________________________________________
mojarra-dev mailing list
mojarra-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mojarra-dev

Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee

References:
- [mojarra-dev] More CSP-related TCK Failures
  - From: Jason Lee
- Re: [mojarra-dev] More CSP-related TCK Failures
  - From: Bauke Scholtz

Prev by Date: Re: [mojarra-dev] More CSP-related TCK Failures
Previous by thread: Re: [mojarra-dev] More CSP-related TCK Failures
Index(es):
- Date
- Thread

Breadcrumbs