2 Replies Latest reply on Dec 5, 2016 3:10 AM by jaredgrace

RichFaces and Content Security Policy

jaredgrace Dec 1, 2016 11:07 AM

Hello everyone,

i've been trying to add a Content Security Policy(CSP) header to my webapp which heavily relys on RichFaces components.

As far as my researches have gone, for CSP to be effective, one has to remove all inline-styles and -JavaScript from a page.

The only way to bring inline javascript /-styles to a decent security level would be to add a nonce to each component like so:

<script nonce="somerandomnumber" type="text/javascript" src="somejsfile.js"></script>

Unfortunately it seems, that some Rich components make use of both inline js and inline styles (e.g. PopUpPanel)

I havn't found a way yet to add custom attributes to either the script import of RichFaces nor the inline script & styles the components generate.

To my questions:

- Does anybody have experience with CSP-headers in combination with RichFaces? (any advice would be helpful )

- Is there any way to add a custom attribute to the generated code?

- Are there any plans to support CSP in future releases of RichFaces?

Thank you in advance for any help,

Best regards

Nicolas Gerlach

1. Re: RichFaces and Content Security Policy

michpetrov Dec 2, 2016 12:26 PM (in response to jaredgrace)

RichFaces development has ended in June, there are not going to be any future releases.

You are welcome to try making a CSP-compliant version of RichFaces but I imagine that might be rather difficult for components that do not have templates (otherwise adding a new attribute to the generated HTML is easy).
1 of 1 people found this helpful
Actions
2. Re: RichFaces and Content Security Policy

jaredgrace Dec 5, 2016 3:10 AM (in response to michpetrov)

Hi Michal,

in that case i'd rather search for something else in the future than fiddling with RichFaces by myself.

But thank you for your input anyways !
Actions