Skip to content

Backport of CSP-related changes #5606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jasondlee wants to merge 1 commit into
base: 4.0
Choose a base branch
from
Open

Backport of CSP-related changes #5606

jasondlee wants to merge 1 commit into from

Conversation

@jasondlee
Copy link
Contributor

@jasondlee jasondlee commented Sep 5, 2025
edited
Loading

Backporting CSP-related changes from 5.x to the 4.0 branch.

@jasondlee jasondlee mentioned this pull request Sep 5, 2025
Merged
@jasondlee jasondlee changed the base branch from master to 4.0 September 24, 2025 21:51
@jasondlee jasondlee marked this pull request as ready for review September 24, 2025 21:51
@jasondlee jasondlee changed the title Backportof CSP-related changes Backport of CSP-related changes Sep 24, 2025
@jasondlee
Copy link
Contributor Author

jasondlee commented Sep 30, 2025

@arjantijms @BalusC Any thoughts on this?

@softwaresicario
Copy link

softwaresicario commented Oct 16, 2025

Thanks for backporting this, first off!

Secondly, out of all the changes implemented, I can't seem to find the one addressing the need of unsafe-eval because of the use of faces.util.chain(this,event,'mojarra.ab(....

Any chance of any of the PR participants to point it out?

Thanks in advance for your time!

@BalusC
Copy link
Contributor

BalusC commented Oct 18, 2025

LGTM :) But why exactly is Issue5576IT disabled?

Have you already ran the entire 4.0 TCK on this branch? Did it all pass?

(sorry for late response, I was vacationing)

BalusC
BalusC reviewed Oct 18, 2025
View reviewed changes
BalusC
BalusC reviewed Oct 18, 2025
View reviewed changes
@jasondlee
Copy link
Contributor Author

jasondlee commented Nov 18, 2025

Thanks for backporting this, first off!

Secondly, out of all the changes implemented, I can't seem to find the one addressing the need of unsafe-eval because of the use of faces.util.chain(this,event,'mojarra.ab(....

@fcarriedos Sorry. Work took me away from this for a bit. :) I thought I had ported everything. Can you point to what I missed? Definitely want to make sure we get it all. :)

@softwaresicario
Copy link

softwaresicario commented Dec 1, 2025
edited
Loading

@jasondlee Thanks for coming back to me on this one!

I'm failing to see any specific change to address the issue described below, more specifically in the definition of faces.util.chain in faces.js to solve the issue described below.

Please let me know if I missed something, I am looking in the wrong place or any clarification is needed.

Context

When there is more than one event handler or more than one action per handler, faces.js chains invocations by creating new Function objects and invoking them, see:

mojarra/impl/src/main/resources/META-INF/resources/jakarta.faces/faces-uncompressed.js

Line 3527 in 1ae407c

var f = new Function("event", arguments[i]);

For this to work, the Content Security Policy forces the need for unsafe-eval (insecure and an obstacle to comply with a solid CSP). Otherwise the execution fails as shown in the screenshots.

I pushed this reproducer and I'm attaching some screenshots that hopefully help clarifying the issue.

1-UnsafeEvalIsNeeded 2-ExactlyTheSameProblem

Thanks in advance for your time! 🙇

@jasondlee
Copy link
Contributor Author

jasondlee commented Dec 1, 2025

@fcarriedos Thanks. I'll give that a look. My backport is, fwiw, a backport of all of the CSP-related changes from 5.x. I don't pretend to understand all of the changes, but I'll try to fix that. :)

@BalusC BalusC mentioned this pull request Jan 5, 2026
Open
@BalusC
Copy link
Contributor

BalusC commented Jan 5, 2026

I fixed it in 5.0 #5631

@jasondlee you can now backport thas as well into your branch

@jasondlee
Copy link
Contributor Author

jasondlee commented Jan 5, 2026

I fixed it in 5.0 #5631

@jasondlee you can now backport thas as well into your branch

Thanks! On it...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BalusC BalusC BalusC left review comments

@arjantijms arjantijms Awaiting requested review from arjantijms

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jasondlee @softwaresicario @BalusC