You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by pa...@apache.org on 2020/01/20 09:22:10 UTC
[wicket] branch csp updated: WICKET-6727: improved documentation
This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a commit to branch csp
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/csp by this push:
new 48db3d6 WICKET-6727: improved documentation
48db3d6 is described below
commit 48db3d62fe388173c0cf12ff49d789cb99c5e315
Author: Emond Papegaaij <em...@topicus.nl>
AuthorDate: Mon Jan 20 10:21:48 2020 +0100
WICKET-6727: improved documentation
---
.../java/org/apache/wicket/csp/CSPDirective.java | 23 ++++++++++++++++------
.../apache/wicket/csp/CSPHeaderConfiguration.java | 3 +++
.../wicket/csp/ContentSecurityPolicyEnforcer.java | 5 +++--
3 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
index 0edf6b9..2bba938 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
@@ -24,8 +24,12 @@ import org.apache.wicket.util.string.Strings;
/**
* An enum holding the possible CSP Directives. Via the
- * {@link #checkValueForDirective(CSPRenderable, List)}-method, new values can be verified before
- * being added to the list of values for a directive.
+ * {@link #checkValueForDirective(CSPRenderable, List)}-method, new values are verified before being
+ * added to the list of values for a directive.
+ *
+ * @see <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2</a>
+ * @see <a href=
+ * "https://developer.mozilla.org/en-US/docs/Web/Security/CSP">https://developer.mozilla.org/en-US/docs/Web/Security/CSP</a>
*/
public enum CSPDirective
{
@@ -41,13 +45,16 @@ public enum CSPDirective
CHILD_SRC("child-src"),
FRAME_ANCESTORS("frame-ancestors"),
/**
- * @deprecated Use CHILD-SRC, this will also add FRAME-SRC automatically for compatibility with
- * older browsers.
+ * This directive was deprecated in CSP 2, but no longer in 3. Wicket will automatically add a
+ * {@code frame-src} directive when {@code child-src} is added.
*/
- @Deprecated
FRAME_SRC("frame-src"),
SANDBOX("sandbox")
{
+ /**
+ * Only allow {@link CSPDirectiveSandboxValue} for the {@code 'sandbox'} directive and block
+ * conflicting options.
+ */
@Override
public void checkValueForDirective(CSPRenderable value,
List<CSPRenderable> existingDirectiveValues)
@@ -75,6 +82,9 @@ public enum CSPDirective
},
REPORT_URI("report-uri")
{
+ /**
+ * Only allow URI, and only one.
+ */
@Override
public void checkValueForDirective(CSPRenderable value,
List<CSPRenderable> existingDirectiveValues)
@@ -113,7 +123,8 @@ public enum CSPDirective
}
/**
- * Check if {@code value} can be added to the list of other values.
+ * Check if {@code value} can be added to the list of other values. By default, it checks for
+ * conflicts with wildcards and none and it checks if values are valid uris.
*
* @param value
* The value to add.
diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java
index 6bee9fd..95c4a17 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java
@@ -46,6 +46,9 @@ import org.apache.wicket.request.cycle.RequestCycle;
* can be added or exising directives modified.
*
* @author papegaaij
+ * @see <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2</a>
+ * @see <a href=
+ * "https://developer.mozilla.org/en-US/docs/Web/Security/CSP">https://developer.mozilla.org/en-US/docs/Web/Security/CSP</a>
*/
public class CSPHeaderConfiguration
{
diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java
index dad360c..495ce44 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java
@@ -52,8 +52,9 @@ import org.apache.wicket.util.lang.Args;
*
* See {@link CSPHeaderConfiguration} for more details on specifying the configuration.
*
- * @see "http://www.w3.org/TR/CSP2/"
- * @see "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives"
+ * @see <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2</a>
+ * @see <a href=
+ * "https://developer.mozilla.org/en-US/docs/Web/Security/CSP">https://developer.mozilla.org/en-US/docs/Web/Security/CSP</a>
*
* @author Sven Haster
* @author Emond Papegaaij