- CorsAwareResourceRenderer
The CorsAwareResourceRenderer is intended as an extension to the standard script and stylesheet resource renderer in order to add the crossorigin and integrity attributes as a pass-through attribute. By default, the crossorigin attribute will always be set to anonymous and the integrity attribute is only set when the ResourceHandler.createResource(String) returns an instance of CDNResource. It will then be set with a base64 encoded sha384 hash.
This includes declarative resources created by <h:outputScript> and <h:outputStylesheet>, annotated resources created by ResourceDependency, combined resources created by CombinedResourceHandler, deferred scripts created by DeferredScript and critical stylesheets created by CriticalStylesheet. Basically any resource which will be served by ResourceHandler.createResource(String).
Installation
You do not need to explicitly register this renderer in your faces-config.xml. It's already automatically registered.
Configuration
Currently only the following context parameter is available: "org.omnifaces.DEFAULT_CROSSORIGIN". This sets the desired value of crossorigin attribute of combined script resources. Supported values are specified in MDN. An empty string is also allowed, it will then completely skip the task of the current renderer. The default value when the context parameter is not set is anonymous (i.e. no cookies are transferred at all).
Usage
Eveything is automatic. In case you wish to override the default/configured outcome of one of the attributes on a specific resource component, then simply explicitly set it as a passthrough attribute yourself. For example,
<... xmlns:h="jakarta.faces.html" xmlns:a="jakarta.faces.passthrough">
<h:outputScript name="..." a:crossorigin="use-credentials" />