Versions: faces 2.2 Faces JavaScript Library Mojarra Faces 4.0.7
I switched on Primefaces.CSP on web.xml. And generates nonce-s to js.
I found some xhtml where faces.js violated (unsafe-inline)
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'
if (!!script) {
var scriptNode = document.createElement("script");
scriptNode.type = "text/javascript";
scriptNode.text = script;
head.appendChild(scriptNode); //this violates
head.removeChild(scriptNode)
}
How can I use Primefaces.CSP and faces.js together safetly?
PrimeFaces CSP does not work with Mojarra f:ajax, it works however with MyFaces f:ajax.
See our documentation: https://primefaces.github.io/primefaces/15_0_0/#/core/contentsecuritypolicy?id=known-limitations