[ https://issues.apache.org/jira/browse/WICKET-6682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879971#comment-16879971 ]
Andrew Kondratev commented on WICKET-6682: ------------------------------------------ I'm going to work on the PR for this improvement this week. > Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce > ------------------------------------------------------------------------ > > Key: WICKET-6682 > URL: https://issues.apache.org/jira/browse/WICKET-6682 > Project: Wicket > Issue Type: Improvement > Reporter: Andrew Kondratev > Priority: Major > Labels: security > > One of easy wins for content security policy would be a support of _nonce_ > for inline JavaScript header injections. > [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script] > *Criteria* > * Set up some kind of request unique nonce provider > * Make it possible for JavaScript header items to have provided nonce > * Add provided nonce to the `Content-Security-Policy: script-src` header > See in code: > org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag > org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render -- This message was sent by Atlassian JIRA (v7.6.3#76005)