Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Java Server Faces and Content Security Policy?

Tags:

jsf

web

content-security-policy

I would like to use Content Security Policy for my JSF 2.1 based Web projects as I think it could improve protection against XSS attacks significantly.

Due to CSP's default behaviour to block all inline JavaScript it basically breaks JSF's 

<f:ajax execute="input" render="output" />

functionality. This is because JSF generates lots of inline JavaScript code when using the above stated construct.

Does anybody know if there is a way to use CSP in JSF based projects which make use of f:ajax without the need to allow inline JS by using the following CSP directive:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

I know that manually placing all of the JavaScript in a separate file would be possible, but doing so I would be forced to do all the Ajax stuff manually.

like image 735
t3chris Avatar asked Mar 23 '14 16:03

t3chris

1 Answers

You could avoid using the unsafe-inline source-expression in order to whitelist inline <script>s, by utilizing nonce and/or hash instead [1]. Doing so would require:

  • Inclusion of a nonce attribute in inline <script> elements, e.g.

    <f:ajax ... pt:nonce="$placeHolder" />

    (assuming that the pt prefix has been bound to the http://xmlns.jcp.org/jsf/passthrough namespace). The attribute's value could just be a placeholder within the view file, enabling you to replace it collectively in all trusted inline <script>s later on.

  • Replacement (via a Filter, for instance) of the placeholder with a random value in each response and insertion of that value into the CSP HTTP Header and/or equivalent <meta> element, producing for example

    <script ... nonce="126cfb..."> and

    Content-Security-Policy: default-src 'self'; ... script-src 'self' 'nonce-126cfb...'.

    Theoretically, produced nonce-values should also be stored on the server, to avoid their reassignment in the near future, since they're supposed to be unique.

  • Additionally or alternatively, insertion of each trusted inline <script> contents' digest into the CSP HTTP Header and/or equivalent <meta> element, alongside its respective hash-algo, such as

    Content-Security-Policy: script-src 'sha256-126cfb...='.

    hash-values should too be regenerated while preparing each response, I guess, since <script>s are generally expected to change over time and with JSF you might not immediately notice when they do.

like image 59
Uux Avatar answered Oct 18 '22 13:10

Uux
Sign in to Comment

Related questions

SelectCheckboxMenu - Disable "all-selection"
How to display Browser name and version with JSF 2.0?
Valuechangelistener Doubt in JSF
Conditional update in Primefaces/jsf
selectonemenu with the error java.lang.String cannot be cast to javax.faces.model.SelectItem
How to get user's browser id using JSF?
JSF outputtext conditional display/styling. Differently depending on condition
Jsf : Validation error value is not valid for SelectOneMenu [duplicate]
javax.el.ELException: Failed to parse the expression [{pz:instanceof(object,'com.project.domain.MyClass')}]
Is (isUserInRole()) the easiest way to attach user permissions/security to a JSF button?
Invoking a JavaScript function from oncomplete handler of p:remoteCommand - simulating the same using some JavaScript code
Are there any JSF components for implementing breadcrumb navigation?
Aligning Menu Group to Menu Item
Passing parameters to PrimeFaces Star Rating component?
Dynamic page update in nested primefaces layout
Resetting child p:selectOneMenus inside a p:dataTable to empty, when a labelled item in their parent list is selected
Javascript self contained sandbox events and client side stack

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!