Hi, the latest version of Chrome, Firefox and Edge support CSP level 3. Primefaces CSP implementation using "nonce" is only CSP level 2.
After I enabled the CSP in Primefaces which added the nonce, our application is still locked by the browsers.
Is there any other solution to fix it?
Does primefaces meet CSP level 3 requirement
-
- PrimeFaces Core Developer
- Posts: 3979
- Joined: 03 Dec 2010, 14:11
- Location: Bavaria, DE
- Contact:
i dont think so, nonce was the only way to add CSP to JSF/PrimeFaces without rewriting everything
Thomas Andraschko
PrimeFaces | PrimeFaces Extensions
Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE
Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko
PrimeFaces | PrimeFaces Extensions
Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE
Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko
When you say locked by browsers what do you mean? I am using PrimeFaces CSP in Production and its working in all majors browsers right now at CSP level 2.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
-
- Information
-
Who is online
Users browsing this forum: No registered users and 47 guests