You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by sv...@apache.org on 2019/09/27 12:49:41 UTC
[wicket] 01/02: WICKET-6682 CSP must use 'strict-dynamic'
This is an automated email from the ASF dual-hosted git repository.
svenmeier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
commit a1a53a9d8da0e06520ff68d58b3f4dd64d329a9f
Author: Sven Meier <sv...@apache.org>
AuthorDate: Fri Sep 27 12:40:55 2019 +0200
WICKET-6682 CSP must use 'strict-dynamic'
to allow dynamically added JS resources
---
.../markup/head/filter/CspNonceHeaderResponse.java | 4 ++--
.../markup/head/filter/CspNoncePageExpected.html | 2 +-
.../apache/wicket/examples/csp/NonceDemoPage.html | 2 ++
.../apache/wicket/examples/csp/NonceDemoPage.java | 28 ++++++++++++++++++++++
.../apache/wicket/examples/csp/delayedVisible.css | 7 ++++++
.../apache/wicket/examples/csp/delayedVisible.js | 3 +++
6 files changed, 43 insertions(+), 3 deletions(-)
diff --git a/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java b/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
index 7a911ca..6376518 100644
--- a/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
+++ b/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
@@ -80,7 +80,7 @@ public class CspNonceHeaderResponse extends DecoratingHeaderResponse
* Get the <em>Content-Security-Policy</em> (CSP).
* <p>
* There is a variety of CSP configurations, this default implementation uses the nonce for scripts and styles
- * and allows <code>unsafe-eval</code>s (needed for Wicket Ajax).
+ * and allows <code>unsafe-eval</code> and <code>strict-dynamic</code>s (needed for Wicket Ajax).
*
* @param nonce
* the nonce
@@ -88,6 +88,6 @@ public class CspNonceHeaderResponse extends DecoratingHeaderResponse
*/
protected String getContentSecurityPolicy(String nonce)
{
- return String.format("script-src 'unsafe-eval' 'nonce-%1$s'; style-src 'nonce-%1$s';", nonce);
+ return String.format("script-src 'unsafe-eval' 'strict-dynamic' 'nonce-%1$s'; style-src 'nonce-%1$s';", nonce);
}
}
diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
index baa33ba..63c9d08 100644
--- a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
+++ b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
@@ -1,5 +1,5 @@
<html xmlns:wicket="http://wicket.apache.org/dtds.data/wicket-xhtml1.4-strict.dtd" >
- <head><meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'nonce-NONCE'; style-src 'nonce-NONCE';" />
+ <head><meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'strict-dynamic' 'nonce-NONCE'; style-src 'nonce-NONCE';" />
<script type="text/javascript" src="../resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.4.1.js" nonce="NONCE"></script>
<script type="text/javascript" src="../resource/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/res/js/wicket-ajax-jquery.js" nonce="NONCE"></script>
<script type="text/javascript" id="wicket-ajax-debug-enable" nonce="NONCE">
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
index 9115256..6aab2b8 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
@@ -14,6 +14,8 @@
<div class="click-me-text">Click a button above to replace this text</div>
<div><wicket:message key="clickMeCount" /> <span wicket:id="clickMeCount"></span></div>
<p></p>
+ <div wicket:id="delayedVisible" class="delayed-visible">This delayed shown text should be green and bold</div>
+ <p></p>
<p><wicket:message key="ieDisclaimer"/></p>
<!-- Injections below will work in IE11, because IE 11 doesn't support nonce -->
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
index d092f8d..dce8079 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
@@ -22,15 +22,23 @@ import org.apache.wicket.examples.WicketExamplePage;
import org.apache.wicket.markup.head.CssHeaderItem;
import org.apache.wicket.markup.head.IHeaderResponse;
import org.apache.wicket.markup.head.JavaScriptHeaderItem;
+import org.apache.wicket.markup.html.WebMarkupContainer;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
+import org.apache.wicket.request.resource.CssResourceReference;
+import org.apache.wicket.request.resource.JavaScriptResourceReference;
+import org.apache.wicket.request.resource.ResourceReference;
/**
* Page which disallows execution of inline scripts without nonce
*/
public class NonceDemoPage extends WicketExamplePage
{
+
+ private static final ResourceReference JS_DELAYED = new JavaScriptResourceReference(NonceDemoPage.class, "delayedVisible.js");
+ private static final ResourceReference CSS_DELAYED = new CssResourceReference(NonceDemoPage.class, "delayedVisible.css");
+
private final IModel<Integer> clickMeCountModel = Model.of(0);
public NonceDemoPage()
@@ -38,9 +46,25 @@ public class NonceDemoPage extends WicketExamplePage
super();
add(new Label("testNonceScript", getString("testNonceScript")));
add(new Label("testNoNonceScript", getString("testNoNonceScript")));
+
final Label clickMeCount = new Label("clickMeCount", clickMeCountModel);
clickMeCount.setOutputMarkupId(true);
add(clickMeCount);
+
+ final WebMarkupContainer delayedVisible = new WebMarkupContainer("delayedVisible") {
+ @Override
+ public void renderHead(IHeaderResponse response)
+ {
+ super.renderHead(response);
+
+ response.render(JavaScriptHeaderItem.forReference(JS_DELAYED));
+ response.render(CssHeaderItem.forReference(CSS_DELAYED));
+ }
+ };
+ delayedVisible.setOutputMarkupPlaceholderTag(true);
+ delayedVisible.setVisible(false);
+ add(delayedVisible);
+
add(new AjaxLink<String>("clickMe")
{
@Override
@@ -50,8 +74,12 @@ public class NonceDemoPage extends WicketExamplePage
// target.add (works even without unsafe-eval)
target.add(clickMeCount);
+
// append javascript (won't work without unsafe-eval)
target.appendJavaScript("document.querySelector(\".click-me-text\").innerHTML = \"replaced\";");
+
+ delayedVisible.setVisible(true);
+ target.add(delayedVisible);
}
}.setOutputMarkupId(true));
}
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.css b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.css
new file mode 100644
index 0000000..d16b283c
--- /dev/null
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.css
@@ -0,0 +1,7 @@
+.delayed-visible {
+ font-weight: bold;
+}
+
+.delayed-ready .delayed-visible {
+ color: green;
+}
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.js b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.js
new file mode 100644
index 0000000..cc2f7eb
--- /dev/null
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.js
@@ -0,0 +1,3 @@
+jQuery(document).ready(function() {
+ jQuery('body').addClass('delayed-ready');
+});