-
Notifications
You must be signed in to change notification settings - Fork 748
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP: ui:debug doesn't work with CSP turned on #11801
Comments
Unfortunately as you know PrimeFaces.csp.eval(XXX); Which allows for eval under CSP. Becuase |
both Mojarra and MyFaces do this in UIDebug.java... sb.append("function faceletsDebug(URL) { day = new Date(); id = day.getTime(); eval(\"page\" + id + \" "
+ "= window.open(URL, '\" + id + \"', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,"
+ "resizable=1,width=800,height=600,left = 240,top = 212');\"); };"); |
I understand. Thank you for investigating it. |
@martin654 i could add a |
for now i will close this as this is an issue in both JSF libs. |
Hi, we use ui:debug sometimes in non-prod environment. We can templorarily disable CSP for this. It isn't a must-have feature for us, but thanks for the offer. Thanks |
Describe the bug
ui:debug doesn't work with enabled CSP in Primefaces
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-YmJlMjkxY2QtODcxMS00NGI4LTkwM2MtMDY1ZmI1NjM1ZTNk'".
Reproducer
use ui:debug in page:
<ui:debug hotkey="x" />
press ctrl+shift+x on page in browser
see browser console
Reproducer project:
primefaces-test-ui-debug.zip
Expected behavior
debug window is shown
PrimeFaces edition
Elite
PrimeFaces version
13.0.8
Theme
No response
JSF implementation
Mojarra
JSF version
4.0.7
Java version
17
Browser(s)
Chrome
The text was updated successfully, but these errors were encountered: