[jira] [Commented] (WICKET-5406) Better Content Security Policy Support

["Andrew Kondratev (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WICKET-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16838956#comment-16838956 ] 

Andrew Kondratev commented on WICKET-5406:
------------------------------------------

JS community believes it's a DO NOT USE functionality [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Do_not_ever_use_eval!]

I think big players keep doing this, because it takes years to re-implement code to stop using the eval even for big players and particularly for big players because they have huge codebases and different priorities.

It should be feasible to implement some kind of "strict mode" RPC when behaviours register functions on page load and then ajax response just points to them with some parameters, rather than running it all inside of eval.

Another alternative to consider is a [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function] should be quite an easy replacement.

> Better Content Security Policy Support
> --------------------------------------
>
>                 Key: WICKET-5406
>                 URL: https://issues.apache.org/jira/browse/WICKET-5406
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>            Reporter: Mario Groß
>            Priority: Minor
>              Labels: CSP, Content-Security-Policy, Cross-site-Scripting, Security
>
> A better support of the Content Security Policy (http://en.wikipedia.org/wiki/Content_Security_Policy) would protect against cross-site scripting attacks and improve the security image of wicket. 
> The main problem at the moment is the heavily used inline javascript code which interferes with the whitelisting mechanism of script sources in the CSP and should be avoided .



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)