2 Replies Latest reply on Dec 5, 2016 3:10 AM by Nicolas Gerlach

    RichFaces and Content Security Policy

    Nicolas Gerlach Newbie

      Hello everyone,

       

      i've been trying to add a Content Security Policy(CSP) header to my webapp which heavily relys on RichFaces components.

      As far as my researches have gone, for CSP to be effective, one has to remove all inline-styles  and -JavaScript from a page.

       

      The only way to bring inline javascript /-styles to a decent security level would be to add a nonce to each component like so:

      <script nonce="somerandomnumber" type="text/javascript" src="somejsfile.js"></script>

       

      Unfortunately it seems, that some Rich components make use of both inline js and inline styles (e.g. PopUpPanel)

      I havn't found a way yet to add custom attributes to either the script import of RichFaces nor the inline script & styles the components generate.

       

      To my questions:

      - Does anybody have experience with CSP-headers in combination with RichFaces? (any advice would be helpful )

      - Is there any way to add a custom attribute to the generated code?

      - Are there any plans to support CSP in future releases of RichFaces?

       

      Thank you in advance for any help,

      Best regards

      Nicolas Gerlach