You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Andrew Kondratev (JIRA)" <ji...@apache.org> on 2019/07/07 23:56:00 UTC

[jira] [Comment Edited] (WICKET-6682) Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce

    [ https://issues.apache.org/jira/browse/WICKET-6682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879970#comment-16879970 ] 

Andrew Kondratev edited comment on WICKET-6682 at 7/7/19 11:55 PM:
-------------------------------------------------------------------

[~solomax] sha hash is also a good option, but I think this might not work well for wicket, because we need a hash in the header for EVERY inline script. http://examples8x.wicket.apache.org/ajax/choice has 6 inline script tags, some real wicket apps have more inline scripts, which I think will make the header far too polluted.


was (Author: kondratev):
[~solomax] sha hash is also a good option, but I think this might not work well for wicket, because we need a hash in the header for EVERY inline script. view-source:examples8x.wicket.apache.org/ajax/choice has 6, some real wicket apps have more inline scripts, which I think will make the header far too polluted.

> Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
> ------------------------------------------------------------------------
>
>                 Key: WICKET-6682
>                 URL: https://issues.apache.org/jira/browse/WICKET-6682
>             Project: Wicket
>          Issue Type: Improvement
>            Reporter: Andrew Kondratev
>            Priority: Major
>              Labels: security
>
> One of easy wins for content security policy would be a support of _nonce_ for inline JavaScript header injections.
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script]
> *Criteria*
>  * Set up some kind of request unique nonce provider
>  * Make it possible for JavaScript header items to have provided nonce
>  * Add provided nonce to the `Content-Security-Policy: script-src` header
> See in code:
> org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag
> org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)