Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java Server Faces and Content Security Policy?

I would like to use Content Security Policy for my JSF 2.1 based Web projects as I think it could improve protection against XSS attacks significantly.

Due to CSP's default behaviour to block all inline JavaScript it basically breaks JSF's

<f:ajax execute="input" render="output" />

functionality. This is because JSF generates lots of inline JavaScript code when using the above stated construct.

Does anybody know if there is a way to use CSP in JSF based projects which make use of f:ajax without the need to allow inline JS by using the following CSP directive:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

I know that manually placing all of the JavaScript in a separate file would be possible, but doing so I would be forced to do all the Ajax stuff manually.

like image 735
t3chris Avatar asked Mar 23 '14 16:03

t3chris


1 Answers

You could avoid using the unsafe-inline source-expression in order to whitelist inline <script>s, by utilizing nonce and/or hash instead [1]. Doing so would require:

  • Inclusion of a nonce attribute in inline <script> elements, e.g.

    <f:ajax ... pt:nonce="$placeHolder" />

    (assuming that the pt prefix has been bound to the http://xmlns.jcp.org/jsf/passthrough namespace). The attribute's value could just be a placeholder within the view file, enabling you to replace it collectively in all trusted inline <script>s later on.

  • Replacement (via a Filter, for instance) of the placeholder with a random value in each response and insertion of that value into the CSP HTTP Header and/or equivalent <meta> element, producing for example

    <script ... nonce="126cfb..."> and

    Content-Security-Policy: default-src 'self'; ... script-src 'self' 'nonce-126cfb...'.

    Theoretically, produced nonce-values should also be stored on the server, to avoid their reassignment in the near future, since they're supposed to be unique.

  • Additionally or alternatively, insertion of each trusted inline <script> contents' digest into the CSP HTTP Header and/or equivalent <meta> element, alongside its respective hash-algo, such as

    Content-Security-Policy: script-src 'sha256-126cfb...='.

    hash-values should too be regenerated while preparing each response, I guess, since <script>s are generally expected to change over time and with JSF you might not immediately notice when they do.

like image 59
Uux Avatar answered Oct 18 '22 13:10

Uux