Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: ui:debug doesn't work with CSP turned on #11801

Closed
martin654 opened this issue Apr 24, 2024 · 6 comments
Closed

CSP: ui:debug doesn't work with CSP turned on #11801

martin654 opened this issue Apr 24, 2024 · 6 comments
Labels
Resolution: Wontfix Issue will not be fixed due to technical limitations third-party Issue is tracked in 3rd party library

Comments

@martin654
Copy link

martin654 commented Apr 24, 2024
edited
Loading

Describe the bug

ui:debug doesn't work with enabled CSP in Primefaces

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-YmJlMjkxY2QtODcxMS00NGI4LTkwM2MtMDY1ZmI1NjM1ZTNk'".

obrazek

Reproducer

  1. enable
<context-param>
     <param-name>primefaces.CSP</param-name>
     <param-value>true</param-value>
 </context-param>

  1. use ui:debug in page:
    <ui:debug hotkey="x" />

  2. press ctrl+shift+x on page in browser

  3. see browser console

Reproducer project:
primefaces-test-ui-debug.zip

Expected behavior

debug window is shown

PrimeFaces edition

Elite

PrimeFaces version

13.0.8

Theme

No response

JSF implementation

Mojarra

JSF version

4.0.7

Java version

17

Browser(s)

Chrome
@martin654 martin654 added ‼️ needs-triage Issue needs triaging 🐞 defect Bug...Something isn't working labels Apr 24, 2024
@melloware
Copy link
Member

Unfortunately as you know ui:debug is a JSF component NOT a PF component and it uses JS eval. In all of PrimeFaces code we do this...

PrimeFaces.csp.eval(XXX);

Which allows for eval under CSP. Becuase ui:debug is doing a raw eval you will get this CSP violation. Not sure there is anything PF can fix about this...

@melloware melloware added third-party Issue is tracked in 3rd party library and removed 🐞 defect Bug...Something isn't working ‼️ needs-triage Issue needs triaging labels Apr 24, 2024
@melloware
Copy link
Member

both Mojarra and MyFaces do this in UIDebug.java...

sb.append("function faceletsDebug(URL) { day = new Date(); id = day.getTime(); eval(\"page\" + id + \" "
                  + "= window.open(URL, '\" + id + \"', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,"
                  + "resizable=1,width=800,height=600,left = 240,top = 212');\"); };");

@martin654
Copy link
Author

I understand. Thank you for investigating it.

@melloware
Copy link
Member

@martin654 i could add a <pe:debug> to PrimeFaces Extensions which will handle the CSP if you are interested we could open a ticket over at PFE?

@melloware
Copy link
Member

for now i will close this as this is an issue in both JSF libs.

@melloware melloware closed this as not planned Won't fix, can't repro, duplicate, stale Apr 26, 2024
@melloware melloware added the Resolution: Wontfix Issue will not be fixed due to technical limitations label Apr 26, 2024
@martin654
Copy link
Author

@martin654 i could add a <pe:debug> to PrimeFaces Extensions which will handle the CSP if you are interested we could open a ticket over at PFE?

Hi, we use ui:debug sometimes in non-prod environment. We can templorarily disable CSP for this. It isn't a must-have feature for us, but thanks for the offer. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution: Wontfix Issue will not be fixed due to technical limitations third-party Issue is tracked in 3rd party library
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@melloware @martin654