All geek questions in one place

Java server core and content security policy?

I would like to use the Content Security Policy for my JSF 2.1-based web projects as I think this can significantly improve protection against XSS attacks.

Due to the default CSP behavior to block all embedded JavaScript , it basically breaks JSF

<f:ajax execute="input" render="output" />

functionality. This is because JSF generates a lot of inline JavaScript code using the above construction.

Does anyone know if there is a way to use CSP in JSF-based projects that use f: ajax without having to enable embedded JS using the following CSP directive:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

I know that manually placing all JavaScript in a separate file would be possible, but in doing so I would have to manually use all the Ajax materials.

+4
source share
1 answer

You could avoid using the original expression unsafe-inlineto include whitelist inline <script>s, using nonce and / or hash instead [ 1 ]. This will require:

  • Including an attribute noncein inline <script>elements, e.g.

    <f:ajax ... pt:nonce="$placeHolder" />

    (, pt http://xmlns.jcp.org/jsf/passthrough). , <script>.

  • ( Filter, ) CSP HTTP / <meta>, , ,

    <script ... nonce="126cfb...">

    Content-Security-Policy: default-src 'self'; ... script-src 'self' 'nonce-126cfb...'.

    , nonce- , , .

  • , , <script> ' CSP HTTP / <meta> -,

    Content-Security-Policy: script-src 'sha256-126cfb...='.

    - , , <script>, , , JSF , .

+3

Source: https://habr.com/ru/post/1533072/

More articles:


All Articles