You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Andrew Kondratev (JIRA)" <ji...@apache.org> on 2019/07/06 08:40:00 UTC
[jira] [Created] (WICKET-6682) Improve JavaScriptContentHeaderItem
and JavaScriptUtils to support nonce
Andrew Kondratev created WICKET-6682:
----------------------------------------
Summary: Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
Key: WICKET-6682
URL: https://issues.apache.org/jira/browse/WICKET-6682
Project: Wicket
Issue Type: Improvement
Reporter: Andrew Kondratev
One of easy wins for content security policy would be a support of _nonce_ for inline JavaScript header injections.
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script]
*Criteria*
* Set up some kind of request unique nonce provider
* Make it possible for JavaScript header items to have provided nonce
* Add provided nonce to the `Content-Security-Policy: script-src` header
See in code:
org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag
org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)