You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Maxim Solodovnik <so...@gmail.com> on 2020/03/24 07:52:55 UTC
CSP regression
Hello All,
just found regression with CSP
nonce for CSS resources seems to be not added, which results security errors
Can it be caused by latest code optimizations?
--
WBR
Maxim aka solomax
Re: CSP regression
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello All,
Recently found limitation of current CSP implementation [1]
Note: connect-src 'self' does not resolve to websocket schemas in all
browsers, more info: https://github.com/w3c/webappsec-csp/issues/7
I believe this should be addressed or at least documented
(Seems to fail in Safari only)
I'm going to workaround this in our source code
[1]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
On Wed, 25 Mar 2020 at 18:07, Maxim Solodovnik <so...@gmail.com> wrote:
> Hello All,
>
> it seem it was false alarm
> sorry for the noise :(
>
> On Tue, 24 Mar 2020 at 15:19, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>> Hmmm,
>>
>> I'll check.
>> The errors are definitely in DevTools (I'm using report-only CSP)
>> Not sure if it is first or second time
>> Will double-check and report back
>>
>> On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij <em...@gmail.com>
>> wrote:
>> >
>> > Hi Maxim,
>> >
>> > Are you sure? I just tried the examples and CSS resources do have
>> > nonces. Maybe you're seeing the same errors as I when opening the dev
>> > tools? Somehow Chrome is unable to load the css resources in the dev
>> > tools when the dev tools are opened after loading the page. After a
>> > refresh, it's fine again.
>> >
>> > Emond
>> >
>> > On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik <so...@gmail.com>
>> wrote:
>> > >
>> > > Hello All,
>> > >
>> > > just found regression with CSP
>> > > nonce for CSS resources seems to be not added, which results security
>> errors
>> > > Can it be caused by latest code optimizations?
>> > >
>> > > --
>> > > WBR
>> > > Maxim aka solomax
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
> --
> WBR
> Maxim aka solomax
>
--
Best regards,
Maxim
Re: CSP regression
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello All,
it seem it was false alarm
sorry for the noise :(
On Tue, 24 Mar 2020 at 15:19, Maxim Solodovnik <so...@gmail.com> wrote:
> Hmmm,
>
> I'll check.
> The errors are definitely in DevTools (I'm using report-only CSP)
> Not sure if it is first or second time
> Will double-check and report back
>
> On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij <em...@gmail.com>
> wrote:
> >
> > Hi Maxim,
> >
> > Are you sure? I just tried the examples and CSS resources do have
> > nonces. Maybe you're seeing the same errors as I when opening the dev
> > tools? Somehow Chrome is unable to load the css resources in the dev
> > tools when the dev tools are opened after loading the page. After a
> > refresh, it's fine again.
> >
> > Emond
> >
> > On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik <so...@gmail.com>
> wrote:
> > >
> > > Hello All,
> > >
> > > just found regression with CSP
> > > nonce for CSS resources seems to be not added, which results security
> errors
> > > Can it be caused by latest code optimizations?
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
Re: CSP regression
Posted by Maxim Solodovnik <so...@gmail.com>.
Hmmm,
I'll check.
The errors are definitely in DevTools (I'm using report-only CSP)
Not sure if it is first or second time
Will double-check and report back
On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij <em...@gmail.com> wrote:
>
> Hi Maxim,
>
> Are you sure? I just tried the examples and CSS resources do have
> nonces. Maybe you're seeing the same errors as I when opening the dev
> tools? Somehow Chrome is unable to load the css resources in the dev
> tools when the dev tools are opened after loading the page. After a
> refresh, it's fine again.
>
> Emond
>
> On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik <so...@gmail.com> wrote:
> >
> > Hello All,
> >
> > just found regression with CSP
> > nonce for CSS resources seems to be not added, which results security errors
> > Can it be caused by latest code optimizations?
> >
> > --
> > WBR
> > Maxim aka solomax
--
WBR
Maxim aka solomax
Re: CSP regression
Posted by Emond Papegaaij <em...@gmail.com>.
Hi Maxim,
Are you sure? I just tried the examples and CSS resources do have
nonces. Maybe you're seeing the same errors as I when opening the dev
tools? Somehow Chrome is unable to load the css resources in the dev
tools when the dev tools are opened after loading the page. After a
refresh, it's fine again.
Emond
On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik <so...@gmail.com> wrote:
>
> Hello All,
>
> just found regression with CSP
> nonce for CSS resources seems to be not added, which results security errors
> Can it be caused by latest code optimizations?
>
> --
> WBR
> Maxim aka solomax