2 Replies Latest reply on Dec 5, 2016 3:10 AM by jaredgrace

    RichFaces and Content Security Policy


      Hello everyone,


      i've been trying to add a Content Security Policy(CSP) header to my webapp which heavily relys on RichFaces components.

      As far as my researches have gone, for CSP to be effective, one has to remove all inline-styles  and -JavaScript from a page.


      The only way to bring inline javascript /-styles to a decent security level would be to add a nonce to each component like so:

      <script nonce="somerandomnumber" type="text/javascript" src="somejsfile.js"></script>


      Unfortunately it seems, that some Rich components make use of both inline js and inline styles (e.g. PopUpPanel)

      I havn't found a way yet to add custom attributes to either the script import of RichFaces nor the inline script & styles the components generate.


      To my questions:

      - Does anybody have experience with CSP-headers in combination with RichFaces? (any advice would be helpful )

      - Is there any way to add a custom attribute to the generated code?

      - Are there any plans to support CSP in future releases of RichFaces?


      Thank you in advance for any help,

      Best regards

      Nicolas Gerlach

        • 1. Re: RichFaces and Content Security Policy

          RichFaces development has ended in June, there are not going to be any future releases.


          You are welcome to try making a CSP-compliant version of RichFaces but I imagine that might be rather difficult for components that do not have templates (otherwise adding a new attribute to the generated HTML is easy).

          1 of 1 people found this helpful
          • 2. Re: RichFaces and Content Security Policy

            Hi Michal,


            in that case i'd rather search for something else in the future than fiddling with RichFaces by myself.


            But thank you for your input anyways !