H: commandLink and insecure-inline

Question

H: commandLink and insecure-inline

If you look at Mkyong 's example of how h:commandLink

resolved it looks like this.

//JSF
<h:commandLink action="#{user.goLoginPage}" value="Login page + Param ">
    <f:param name="username" value="mkyong" />
</h:commandLink>

//HTML output
<script type="text/javascript"
 src="/JavaServerFaces/faces/javax.faces.resource/jsf.js?ln=javax.faces&stage=Development">
</script>

<a href="#"
    onclick="mojarra.jsfcljs(document.getElementById('j_idt6'),
    {'j_idt6:j_idt20':'j_idt6:j_idt20','username':'mkyong'},'');
    return false">
    Login page + Param
</a>

The problem is, if you do unsafe-inline

, your browser will refuse to do it.

I was whitelisting inline scripts with the nonce method .

Is there a way to allow it to work h:commandLinks

?

+3

jsf content-security-policy

dwjohnston 03 jul. '17 at 3:23

source to share

1 answer

BalusC · Answer 1 · 2017-07-03T06:16:16+0000

There is no way to make a POST request with an element <a>

in HTML . JSF in this context, being just an HTML code generator, can't do much.

You have 3 options:

Replace with <h:commandButton>

.
Or replace with <h:link>

.
Or replace with a custom component that initializes the script from the outside.

H: commandLink and insecure-inline

See also:

More articles: