You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by pa...@apache.org on 2020/02/23 20:06:02 UTC
[wicket] 02/02: WICKET-6733: enable strict CSP by default
This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
commit ef8049cca3d3a44500874a8e4c66cd40f6f353f5
Author: Emond Papegaaij <em...@topicus.nl>
AuthorDate: Sun Feb 23 21:03:59 2020 +0100
WICKET-6733: enable strict CSP by default
---
wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java | 2 ++
.../src/main/java/org/apache/wicket/protocol/http/WebApplication.java | 2 ++
2 files changed, 4 insertions(+)
diff --git a/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java b/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java
index 3dbe4fb..d6bfa00 100644
--- a/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java
+++ b/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java
@@ -74,5 +74,7 @@ public class MockApplication extends WebApplication
// the core CSS causes noise (a head + link in every generated markup) in tests
// and isn't needed, because the markup isn't rendered by a browser
getResourceSettings().disableWicketCoreCSS();
+ // disable nonces, CSP is not needed anyway during tests
+ getCsp().blocking().disabled();
}
}
diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java
index f6f3bd2..d00b7f4 100644
--- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java
+++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java
@@ -755,6 +755,7 @@ public abstract class WebApplication extends Application
getHeaderResponseDecorators()
.add(response -> new CSPNonceHeaderResponseDecorator(response, getCsp()));
mount(new ReportCSPViolationMapper(getCsp()));
+ getCsp().blocking().strict();
if (getConfigurationType() == RuntimeConfigurationType.DEVELOPMENT)
{
@@ -764,6 +765,7 @@ public abstract class WebApplication extends Application
{
getResourceSettings().getResourceFinders().add(new Path(resourceFolder));
}
+ getCsp().blocking().reportBack();
}
setPageRendererProvider(WebPageRenderer::new);
setSessionStoreProvider(HttpSessionStore::new);