Content-Security-Policy blocks Prime Faces Javascript

UI Components for JSF
Post Reply
sara.hester
Posts: 2
Joined: 29 Sep 2015, 16:16

30 Sep 2015, 09:54

Hello Folks,

following the guide under: http://docs.spring.io/spring-security/s ... ers-static i set some headers (see the following Code).

Code: Select all

http.addFilterBefore(filter, CsrfFilter.class).authorizeRequests().anyRequest().authenticated().and()
		.addFilter(preAuthFilter()).headers().cacheControl().and().frameOptions().and()
		.addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", "default-src 'self'"))
		.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "default-src 'self'"))
		.addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP", "default-src 'self'"))
		.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)).xssProtection();
In Prime Faces it seems that there are click handlers set inline in the HTML Code which violate the Content Security Policy (Chrome gives me "Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."). Therefore some functions can not be used. How can I prevent Prime Faces to render the Script inline and put it somewhere else?

Thanks a lot!
PrimeFaces version: 5.2 - Mojarra JavaServer Faces Version: 2.2.12 - Server: Red Hat JBoss Application Plattform 6.4.3 GA
Top
Post Reply

Return to “PrimeFaces”

  • Information

  • Who is online

    Users browsing this forum: No registered users and 10 guests