You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/09/27 12:50:00 UTC
[jira] [Commented] (WICKET-6682) Improve
JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
[ https://issues.apache.org/jira/browse/WICKET-6682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939413#comment-16939413 ]
ASF subversion and git services commented on WICKET-6682:
---------------------------------------------------------
Commit 5d99df322d62e3ea8a443d2f90dfac03a708dbb5 in wicket's branch refs/heads/master from Sven Meier
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=5d99df3 ]
WICKET-6682 remove meta based on 'http-equiv' too
otherwise CSP metas will pile up
> Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
> ------------------------------------------------------------------------
>
> Key: WICKET-6682
> URL: https://issues.apache.org/jira/browse/WICKET-6682
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 8.5.0, 9.0.0-M2
> Reporter: Andrew Kondratev
> Assignee: Sven Meier
> Priority: Major
> Labels: security
> Fix For: 9.0.0-M3
>
>
> One of easy wins for content security policy would be a support of _nonce_ for inline JavaScript header injections.
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script]
> *Criteria*
> * Set up some kind of request unique nonce provider
> * Make it possible for JavaScript header items to have provided nonce
> * Add provided nonce to the `Content-Security-Policy: script-src` header
> See in code:
> org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag
> org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render
--
This message was sent by Atlassian Jira
(v8.3.4#803005)