拒绝执行内联脚本,因为违反了内容安全策略 (primefaces 8)
Refuse to execute inline script because violates Content Security Policy (primefaces 8)
环境:
- Java 11
- Jboss 7.2
- Primefaces 8
- JSF 2.3
我正在尝试使用 ajax 呈现事件更新组合框,但网络没有更新组合框,我收到此错误。
我该如何解决这个问题?
错误 js 控制台
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-ZGRkM2ZjYTAtNzE3MC00MmU4LWE4YmMtOWNmYjUyNjYyMTNh'". Either the 'unsafe-inline' keyword, a hash ('sha256-PoJBY0XvVwb+v60hF7CQr9zfBAfr3HAsK3P9TEKUqGs='), or a nonce ('nonce-...') is required to enable inline execution.
runScript @ jsf.js.xhtml?ln=javax.faces:1
runScripts @ jsf.js.xhtml?ln=javax.faces:1
doUpdate @ jsf.js.xhtml?ln=javax.faces:1
response @ jsf.js.xhtml?ln=javax.faces:1
onComplete @ jsf.js.xhtml?ln=javax.faces:1
AjaxEngine.req.xmlReq.onreadystatechange @ jsf.js.xhtml?ln=javax.faces:1
web.xml
...
<!--Primefaces Content Security Policy-->
<context-param>
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
...
face.xhtml
...
<p:selectOneMenu id="cbxOrganisme" value="#{userBean.selected.organism}"
valueChangeListener="#{userBean.onChangeOrganism}"
converter="vTableConverter" filter="true"
rendered="true" required="true" style="width: 90%;">
<f:ajax event="change" execute="@this" listener="#{userBean.onChangeOrganism}" render="cbxCenter"/>
<f:selectItem itemLabel="#{messages['seleccionar']}" itemValue="" noSelectionOption="true"/>
<f:selectItems value="#{userBean.organisms}" var="organism"
itemLabel="#{sessionBean.localeCode eq 'ca'? organism.nomCA:organism.nomES}"
itemValue="#{organism}"/>
</p:selectOneMenu>
...
web.html
<html><head id="j_idt2">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9">
<meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<title>Govern de les Illes Balears - APP
</title><link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/theme.css.xhtml?ln=primefaces-bootstrap">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/fa/font-awesome.css.xhtml?ln=primefaces&v=8.0">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/govern-ie.css.xhtml?ln=css">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/buttons.css.xhtml?ln=css">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/components.css.xhtml?ln=primefaces&v=8.0">
<script type="text/javascript" src="/APP2/javax.faces.resource/jquery/jquery.js.xhtml?ln=primefaces&v=8.0" nonce="">
</script><script type="text/javascript" src="/APP2/javax.faces.resource/jquery/jquery-plugins.js.xhtml?ln=primefaces&v=8.0" nonce="">
</script><script type="text/javascript" src="/APP2/javax.faces.resource/core.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/components.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/idlemonitor/idlemonitor.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/touch/touchswipe.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/fileupload/fileupload.css.xhtml?ln=primefaces&v=8.0">
<script type="text/javascript" src="/APP2/javax.faces.resource/fileupload/fileupload.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/jsf.js.xhtml?ln=javax.faces" nonce=""></script>
<script type="text/javascript" nonce="">if(window.PrimeFaces){PrimeFaces.settings.locale='ca';}</script><script type="text/javascript" nonce="">$(function(){PrimeFaces.csp.init('ZTFhYjQ3MDItYzM5Yy00MGU5LWE2NDEtZDFjMTExNDEzMWU4');;});</script>
<script async="async" src="https://www.googletagmanager.com/gtag/js?id=UA-133688930-1" nonce=""></script>
<script nonce="">
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-133688930-1');
function redirectPrincipal() {
let context = "APP/";
let mainPage = "principal.xhtml";
let url = window.location.href;
if (url.endsWith(context)) {
window.location.replace(url + "principal.xhtml");
}
}
redirectPrincipal();
</script>
<link rel="SHORTCUT ICON" href="http://www.name.es/webname/favicon.ico"><script type="text/javascript" src="/APP2/javax.faces.resource/calendar-localization.js.xhtml?ln=js" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/functions.js.xhtml?ln=js" nonce=""></script>
<meta name="description" content="APP. Versió: 8.0.0-">
<meta name="author" content="Govern de les Illes Balears"></head>
<body>
...
</body>
</html>
Content Security Policy known limitations
目前 CSP 与 的组合不能与所有 Faces 实现/版本一起使用。
MyFaces 从 2.3-next 开始支持它(将来会是 4.0),Mojarra 一般不支持它:https://github.com/eclipse-ee4j/mojarra/issues/4542
作为解决方法,您始终可以改用 。
环境:
- Java 11
- Jboss 7.2
- Primefaces 8
- JSF 2.3
我正在尝试使用 ajax 呈现事件更新组合框,但网络没有更新组合框,我收到此错误。 我该如何解决这个问题?
错误 js 控制台
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-ZGRkM2ZjYTAtNzE3MC00MmU4LWE4YmMtOWNmYjUyNjYyMTNh'". Either the 'unsafe-inline' keyword, a hash ('sha256-PoJBY0XvVwb+v60hF7CQr9zfBAfr3HAsK3P9TEKUqGs='), or a nonce ('nonce-...') is required to enable inline execution.
runScript @ jsf.js.xhtml?ln=javax.faces:1
runScripts @ jsf.js.xhtml?ln=javax.faces:1
doUpdate @ jsf.js.xhtml?ln=javax.faces:1
response @ jsf.js.xhtml?ln=javax.faces:1
onComplete @ jsf.js.xhtml?ln=javax.faces:1
AjaxEngine.req.xmlReq.onreadystatechange @ jsf.js.xhtml?ln=javax.faces:1
web.xml
...
<!--Primefaces Content Security Policy-->
<context-param>
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
...
face.xhtml
...
<p:selectOneMenu id="cbxOrganisme" value="#{userBean.selected.organism}"
valueChangeListener="#{userBean.onChangeOrganism}"
converter="vTableConverter" filter="true"
rendered="true" required="true" style="width: 90%;">
<f:ajax event="change" execute="@this" listener="#{userBean.onChangeOrganism}" render="cbxCenter"/>
<f:selectItem itemLabel="#{messages['seleccionar']}" itemValue="" noSelectionOption="true"/>
<f:selectItems value="#{userBean.organisms}" var="organism"
itemLabel="#{sessionBean.localeCode eq 'ca'? organism.nomCA:organism.nomES}"
itemValue="#{organism}"/>
</p:selectOneMenu>
...
web.html
<html><head id="j_idt2">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9">
<meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<title>Govern de les Illes Balears - APP
</title><link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/theme.css.xhtml?ln=primefaces-bootstrap">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/fa/font-awesome.css.xhtml?ln=primefaces&v=8.0">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/govern-ie.css.xhtml?ln=css">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/buttons.css.xhtml?ln=css">
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/components.css.xhtml?ln=primefaces&v=8.0">
<script type="text/javascript" src="/APP2/javax.faces.resource/jquery/jquery.js.xhtml?ln=primefaces&v=8.0" nonce="">
</script><script type="text/javascript" src="/APP2/javax.faces.resource/jquery/jquery-plugins.js.xhtml?ln=primefaces&v=8.0" nonce="">
</script><script type="text/javascript" src="/APP2/javax.faces.resource/core.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/components.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/idlemonitor/idlemonitor.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/touch/touchswipe.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<link type="text/css" rel="stylesheet" href="/APP2/javax.faces.resource/fileupload/fileupload.css.xhtml?ln=primefaces&v=8.0">
<script type="text/javascript" src="/APP2/javax.faces.resource/fileupload/fileupload.js.xhtml?ln=primefaces&v=8.0" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/jsf.js.xhtml?ln=javax.faces" nonce=""></script>
<script type="text/javascript" nonce="">if(window.PrimeFaces){PrimeFaces.settings.locale='ca';}</script><script type="text/javascript" nonce="">$(function(){PrimeFaces.csp.init('ZTFhYjQ3MDItYzM5Yy00MGU5LWE2NDEtZDFjMTExNDEzMWU4');;});</script>
<script async="async" src="https://www.googletagmanager.com/gtag/js?id=UA-133688930-1" nonce=""></script>
<script nonce="">
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-133688930-1');
function redirectPrincipal() {
let context = "APP/";
let mainPage = "principal.xhtml";
let url = window.location.href;
if (url.endsWith(context)) {
window.location.replace(url + "principal.xhtml");
}
}
redirectPrincipal();
</script>
<link rel="SHORTCUT ICON" href="http://www.name.es/webname/favicon.ico"><script type="text/javascript" src="/APP2/javax.faces.resource/calendar-localization.js.xhtml?ln=js" nonce=""></script>
<script type="text/javascript" src="/APP2/javax.faces.resource/functions.js.xhtml?ln=js" nonce=""></script>
<meta name="description" content="APP. Versió: 8.0.0-">
<meta name="author" content="Govern de les Illes Balears"></head>
<body>
...
</body>
</html>
Content Security Policy known limitations
目前 CSP 与
MyFaces 从 2.3-next 开始支持它(将来会是 4.0),Mojarra 一般不支持它:https://github.com/eclipse-ee4j/mojarra/issues/4542
作为解决方法,您始终可以改用