CSP and UI libraries

[Martin Grigorov <mg...@apache.org>]

Hi,

I'm creating a new thread to not hijack the discussion about the CSS
utilities.

On Thu, Feb 27, 2020 at 12:56 PM Ernesto Reinaldo Barreiro <
reiern70@gmail.com> wrote:

> Hi,
>
> On Thu, Feb 27, 2020 at 12:33 PM Andrea Del Bene <an...@gmail.com>
> wrote:
>
> > On Wed, Feb 26, 2020 at 10:26 AM Ernesto Reinaldo Barreiro <
> > reiern70@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > Right now I have no enough knowledge to vote in this feature. One
> thing I
> > > didn't like, and I already mentioned it before, is some of us were
> > waiting
> > > for 9.x to be released some time ago (at least a few months ago I was
> > > preparing some branch of our application and ported it to 9.x, after
> > asking
> > > about release plans) and all of the sudden this feature is introduced
> and
> > > all sub-frameworks depending on Wicket will have to be adapted.
> >
> >
> > In which way sub-frameworks should be affected? I mean, as far as I
> > understand it, if we disable CSP blocking configuration everything should
> > work "the old way", and that's why I would prefer to keep CSP disabled by
> > default.
> >
>
> Well if something is supported at core level then if associated projects
> want to comply with this new feature, which might be ideal,  then they will
> have to be adapted (or not?). I'm not talking about not releasing the new
> feature. I'm talking about not releasing as part of 9.x, as it was said to
> be almost ready for release a few months ago, and deffer it to 10.x (and
> try to release it soon).
>

I wanted to ask here whether we need an API that says whether CSP is
enabled or disabled.
For example UI libraries like Wicket Bootstrap & Wicket JQuery UI (and any
other) may use it to decide how to behave depending on the result.
Because at the moment there is no place for assumption - every library
should be updated to
assume that CSP is always enabled.


>
> --
> Regards - Ernesto Reinaldo Barreiro
>

Re: CSP and UI libraries

[Maxim Solodovnik <so...@gmail.com>]

Yes,
All my prs were made with strict csp enabled
Additional minor change is required to make tests pass
Will create pr right after release

On Thu, Feb 27, 2020, 20:32 Martin Grigorov <mg...@apache.org> wrote:

> Thanks, Emond!
>
> @Maxim: since you started using Wicket 9.x Bootstrap 4.x recently: do you
> use it with CSP enabled ?
>
> On Thu, Feb 27, 2020 at 3:17 PM Emond Papegaaij <emond.papegaaij@gmail.com
> >
> wrote:
>
> > Hi Martin and Sebastien,
> >
> > I see no need for checking if CSP is enabled or not. It is not hard to
> > write your code to comply to even the strictest CSP. If it works with
> > the strict CSP, it will also work when CSP is disabled or with a less
> > strict CSP. Simply follow the few rules explained in the user guide.
> > Note that if your library needs to check if a nonce is required, this
> > is already supported, see
> > ContentSecurityPolicyEnforcer.isNonceEnabled().
> >
> > Our application uses WiQuery and several other frameworks, and I only
> > had to make minor changes to make this application fully compliant
> > with the strict CSP. No changes were required to WiQuery. A small
> > change is required to the ChartJS library we use
> > (https://github.com/haster/java-chartjs) because ChartJS tries to
> > insert a stylesheet into the head. This stylesheet has to be rendered
> > via Wicket to get the nonce.
> >
> > Best regards,
> > Emond
> >
> > On Thu, Feb 27, 2020 at 2:00 PM Sebastien Briquet <sb...@apache.org>
> > wrote:
> > >
> > > Hi Martin,
> > >
> > > Actually that's a good point! I will try to upgrade Wicket jQuery UI to
> > > wicket 9/CSP to see how it behaves...
> > >
> > > Thanks and best regards,
> > > Sebastien
> >
>

Re: CSP and UI libraries

[Martin Grigorov <mg...@apache.org>]

Thanks, Emond!

@Maxim: since you started using Wicket 9.x Bootstrap 4.x recently: do you
use it with CSP enabled ?

On Thu, Feb 27, 2020 at 3:17 PM Emond Papegaaij <em...@gmail.com>
wrote:

> Hi Martin and Sebastien,
>
> I see no need for checking if CSP is enabled or not. It is not hard to
> write your code to comply to even the strictest CSP. If it works with
> the strict CSP, it will also work when CSP is disabled or with a less
> strict CSP. Simply follow the few rules explained in the user guide.
> Note that if your library needs to check if a nonce is required, this
> is already supported, see
> ContentSecurityPolicyEnforcer.isNonceEnabled().
>
> Our application uses WiQuery and several other frameworks, and I only
> had to make minor changes to make this application fully compliant
> with the strict CSP. No changes were required to WiQuery. A small
> change is required to the ChartJS library we use
> (https://github.com/haster/java-chartjs) because ChartJS tries to
> insert a stylesheet into the head. This stylesheet has to be rendered
> via Wicket to get the nonce.
>
> Best regards,
> Emond
>
> On Thu, Feb 27, 2020 at 2:00 PM Sebastien Briquet <sb...@apache.org>
> wrote:
> >
> > Hi Martin,
> >
> > Actually that's a good point! I will try to upgrade Wicket jQuery UI to
> > wicket 9/CSP to see how it behaves...
> >
> > Thanks and best regards,
> > Sebastien
>

Re: CSP and UI libraries

[Emond Papegaaij <em...@gmail.com>]

Hi Martin and Sebastien,

I see no need for checking if CSP is enabled or not. It is not hard to
write your code to comply to even the strictest CSP. If it works with
the strict CSP, it will also work when CSP is disabled or with a less
strict CSP. Simply follow the few rules explained in the user guide.
Note that if your library needs to check if a nonce is required, this
is already supported, see
ContentSecurityPolicyEnforcer.isNonceEnabled().

Our application uses WiQuery and several other frameworks, and I only
had to make minor changes to make this application fully compliant
with the strict CSP. No changes were required to WiQuery. A small
change is required to the ChartJS library we use
(https://github.com/haster/java-chartjs) because ChartJS tries to
insert a stylesheet into the head. This stylesheet has to be rendered
via Wicket to get the nonce.

Best regards,
Emond

On Thu, Feb 27, 2020 at 2:00 PM Sebastien Briquet <sb...@apache.org> wrote:
>
> Hi Martin,
>
> Actually that's a good point! I will try to upgrade Wicket jQuery UI to
> wicket 9/CSP to see how it behaves...
>
> Thanks and best regards,
> Sebastien

Re: CSP and UI libraries

[Maxim Solodovnik <so...@gmail.com>]

It is possible
but this CSP will not be `strict` anymore :)))

On Fri, 28 Feb 2020 at 15:23, Sebastien Briquet <sb...@apache.org> wrote:
>
> Thank you so much Emond! I will try that!



-- 
WBR
Maxim aka solomax

Re: CSP and UI libraries

[Sebastien Briquet <sb...@apache.org>]

Thank you so much Emond! I will try that!

Re: CSP and UI libraries

[Emond Papegaaij <em...@gmail.com>]

Hi Sebastien,

Unfortunately, not all libraries work with a strict CSP (Wicket used
to be one of those :) ). For such a library, you might want to roll a
less strict CSP via an IInitializer. From what I see in the link sent
by Maxim, you'll need to add 'unsafe-eval' for Kendo:
getCsp().blocking().add(CSPDirective.SCRIPT_SRC,
CSPDirectiveSrcValue.UNSAFE_EVAL);

Best regards,
Emond

On Fri, Feb 28, 2020 at 4:05 AM Sebastien Briquet <sb...@apache.org> wrote:
>
> Thank you very much for letting me know!
> I didn't exactly know what to expect until I would put my hands in it, but
> now I'm a little bit worried, haha !
>
> Best regards,
> Sebastien

Re: CSP and UI libraries

[Maxim Solodovnik <so...@gmail.com>]

Sorry for bringing such news :(

On Fri, 28 Feb 2020 at 10:05, Sebastien Briquet <sb...@apache.org> wrote:
>
> Thank you very much for letting me know!
> I didn't exactly know what to expect until I would put my hands in it, but
> now I'm a little bit worried, haha !
>
> Best regards,
> Sebastien



-- 
WBR
Maxim aka solomax

Re: CSP and UI libraries

[Sebastien Briquet <sb...@apache.org>]

Thank you very much for letting me know!
I didn't exactly know what to expect until I would put my hands in it, but
now I'm a little bit worried, haha !

Best regards,
Sebastien

Re: CSP and UI libraries

[Maxim Solodovnik <so...@gmail.com>]

Hello Sebastien,

Unfortunately this task might be challenging :(
Kendo will not work in strict CSP mode :(
https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy

Other places to look at (should be easy to correct):
DisplayNoneBehavior
MessageDialog
:)))

On Thu, 27 Feb 2020 at 20:00, Sebastien Briquet <sb...@apache.org> wrote:
>
> Hi Martin,
>
> Actually that's a good point! I will try to upgrade Wicket jQuery UI to
> wicket 9/CSP to see how it behaves...
>
> Thanks and best regards,
> Sebastien



-- 
WBR
Maxim aka solomax

Re: CSP and UI libraries

[Sebastien Briquet <sb...@apache.org>]

Hi Martin,

Actually that's a good point! I will try to upgrade Wicket jQuery UI to
wicket 9/CSP to see how it behaves...

Thanks and best regards,
Sebastien

Re: CSP and UI libraries

[Martin Grigorov <mg...@apache.org>]

On Fri, Feb 28, 2020 at 11:55 AM Martin Grigorov <mg...@apache.org>
wrote:

>
>
> On Fri, Feb 28, 2020 at 11:37 AM Andrea Del Bene <an...@gmail.com>
> wrote:
>
>> On Thu, Feb 27, 2020 at 1:03 PM Martin Grigorov <mg...@apache.org>
>> wrote:
>>
>> >
>> >
>> > I wanted to ask here whether we need an API that says whether CSP is
>> > enabled or disabled.
>> > For example UI libraries like Wicket Bootstrap & Wicket JQuery UI (and
>> any
>> > other) may use it to decide how to behave depending on the result.
>> > Because at the moment there is no place for assumption - every library
>> > should be updated to
>> > assume that CSP is always enabled.
>> >
>> >
>> >
>> I think it would be nice to provide such  API for those who will have
>> problems adopting CSP. More generally I'd like to rework the CSP APIs in
>> order to make them coherent with code conventions we have adopted with the
>> other types of configurations . For example creating an
>> Application.getCSPSettings() to access CSP configuration.
>>
>
> +1 for this!
>

Done!


>
>
>

Re: CSP and UI libraries

[Martin Grigorov <mg...@apache.org>]

On Fri, Feb 28, 2020 at 11:37 AM Andrea Del Bene <an...@gmail.com>
wrote:

> On Thu, Feb 27, 2020 at 1:03 PM Martin Grigorov <mg...@apache.org>
> wrote:
>
> >
> >
> > I wanted to ask here whether we need an API that says whether CSP is
> > enabled or disabled.
> > For example UI libraries like Wicket Bootstrap & Wicket JQuery UI (and
> any
> > other) may use it to decide how to behave depending on the result.
> > Because at the moment there is no place for assumption - every library
> > should be updated to
> > assume that CSP is always enabled.
> >
> >
> >
> I think it would be nice to provide such  API for those who will have
> problems adopting CSP. More generally I'd like to rework the CSP APIs in
> order to make them coherent with code conventions we have adopted with the
> other types of configurations . For example creating an
> Application.getCSPSettings() to access CSP configuration.
>

+1 for this!

Re: CSP and UI libraries

[Andrea Del Bene <an...@gmail.com>]

On Thu, Feb 27, 2020 at 1:03 PM Martin Grigorov <mg...@apache.org>
wrote:

>
>
> I wanted to ask here whether we need an API that says whether CSP is
> enabled or disabled.
> For example UI libraries like Wicket Bootstrap & Wicket JQuery UI (and any
> other) may use it to decide how to behave depending on the result.
> Because at the moment there is no place for assumption - every library
> should be updated to
> assume that CSP is always enabled.
>
>
>
I think it would be nice to provide such  API for those who will have
problems adopting CSP. More generally I'd like to rework the CSP APIs in
order to make them coherent with code conventions we have adopted with the
other types of configurations . For example creating an
Application.getCSPSettings() to access CSP configuration.