You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Emond Papegaaij (Jira)" <ji...@apache.org> on 2020/08/10 12:22:00 UTC
[jira] [Reopened] (WICKET-6813) Setting child-src does not update
frame-src after initial assignment
[ https://issues.apache.org/jira/browse/WICKET-6813?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emond Papegaaij reopened WICKET-6813:
-------------------------------------
Assignee: Emond Papegaaij
> Setting child-src does not update frame-src after initial assignment
> --------------------------------------------------------------------
>
> Key: WICKET-6813
> URL: https://issues.apache.org/jira/browse/WICKET-6813
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 9.0.0-M5, 9.0.0
> Reporter: Mark Snijder
> Assignee: Emond Papegaaij
> Priority: Minor
>
> When configuring CHILD_SRC Wicket also configures FRAME_SRC ([CSPHeaderConfiguration.doAddDirective|https://github.com/apache/wicket/blob/bef3facb3b240f60a3455f257eaf1b9db81a9e29/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java#L310]) however it only does this when FRAME_SRC is not set.
> Since _unsafeInline()_ sets CHILD_SRC to 'self', adding other CHILD_SRC directive values will not update the FRAME_SRC value anymore. The CSP settings in the code below causes a _Refused to frame 'https://docs.google.com/' because it violates the following Content Security Policy directive: "frame-src 'self'"._ error.
> {code:java}
> getCspSettings().blocking()
> .unsafeInline()
> .add(CSPDirective.SCRIPT_SRC, "https://apis.google.com/")
> .add(CSPDirective.CHILD_SRC, "https://docs.google.com/");
> {code}
> A workaround is to add FRAME_SRC yourself manually to the code above (_.add(CSPDirective.FRAME_SRC, "https://docs.google.com/")_) but I would have expected the code to work without adding this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)