Skip to content

Make sure CSP backport passes the 4.0 TCK#5716

Merged
BalusC merged 5 commits into4.0from
make_sure_csp_backport_passes_the_4.0_tck
Apr 28, 2026
Merged

Make sure CSP backport passes the 4.0 TCK#5716
BalusC merged 5 commits into4.0from
make_sure_csp_backport_passes_the_4.0_tck

Conversation

@BalusC
Copy link
Copy Markdown
Contributor

@BalusC BalusC commented Apr 28, 2026
edited
Loading

#5606

Separate PR for 4.1: #5717

cc: @jasondlee

BalusC added 5 commits April 28, 2026 09:31
@BalusC
Fix #5606: Restore YUI Compressor because 4.0 TCK still uses HtmlUnit
7ee6f74 
which doesn't at all like ES6; rewrite faces-uncompressed.js to not
anymore use ES6 specific syntax so YUI Compressor can digest it; fix
backport regression in runStylesheets (2 lines were dropped?) and ensure
this is covered by faces.ajax.test.ts
@BalusC
Fix #5606: the h:commandLink script must be rendered AFTER end tag
790f631
@BalusC
Fix #5606: shouldWriteIdAttribute should always be true for UICommand
61bb884
@BalusC
Fix #5606: render="@ALL" must also run CSP scripts
846f274
@BalusC
Fix #5606: this one is a real Mojarra bug which only surfaced after CSP
09efd70 
backport, below is Claude's observation:

Under server-side state saving, ServerSideStateHelper.writeState calls
externalContext.getSession(true) at WriteBehindStateWriter.flushToWriter
time. If the rendered output already exceeds the response buffer (e.g.
the CSP backport in 4.0.17 emits an extra
<script>mojarra.ael(...)</script> per command, roughly doubling per-link
bytes), the response is committed before flushToWriter runs,
getSession(true) then fails with `IllegalStateException: Cannot create a
session after the response has been committed`, aborting the render
mid-form, so </form> and the jakarta.faces.ViewState hidden input never
reach the client.

FaceletViewHandlingStrategy already had a pre-render getSession() guard
for exactly this reason, but it was strict-equality on
STATE_SAVING_METHOD_SERVER, which disagreed with the helper-selection
rule in ResponseStateManagerImpl (anything not
STATE_SAVING_METHOD_CLIENT → ServerSideStateHelper). Configurations
where STATE_SAVING_METHOD is unset or contains an unresolved placeholder
(e.g. ${webapp.stateSavingMethod}) silently used the server helper but
skipped the pre-create.

Fix isServerStateSaving() to mirror the helper-selection rule
(!STATE_SAVING_METHOD_CLIENT.equalsIgnoreCase(...)), and tighten the
pre-create to only fire when actually needed: non-transient view, no
existing session, server-side state saving, and the view contains at
least one UIForm (verified via a short-circuit visitTree). This avoids
gratuitous session creation for plain pages that have no form and would
not write state anyway, which previously caused JSESSIONID URL rewriting
side-effects.

Fixes Issue1817IT regression introduced by the CSP backport.
@BalusC BalusC requested a review from arjantijms April 28, 2026 13:45
@BalusC BalusC mentioned this pull request Apr 28, 2026
Merged
jasondlee
jasondlee approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jasondlee jasondlee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Thanks for the cleanup. Apologies for not catching this earlier.

@BalusC BalusC merged commit be4cef6 into 4.0 Apr 28, 2026
3 checks passed
@BalusC BalusC deleted the make_sure_csp_backport_passes_the_4.0_tck branch April 28, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasondlee jasondlee jasondlee approved these changes

@arjantijms arjantijms Awaiting requested review from arjantijms

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BalusC @jasondlee