[jira] [Reopened] (WICKET-6682) Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce

Sven Meier (Jira) Fri, 27 Sep 2019 05:42:27 -0700


     [ 
https://issues.apache.org/jira/browse/WICKET-6682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sven Meier reopened WICKET-6682:
--------------------------------

This doesn't work for JS/Css resources added via Ajax yet. We'll have to add 
'strict-dynamic' to the nonce meta.

> Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
> ------------------------------------------------------------------------
>
>                 Key: WICKET-6682
>                 URL: https://issues.apache.org/jira/browse/WICKET-6682
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 8.5.0, 9.0.0-M2
>            Reporter: Andrew Kondratev
>            Assignee: Sven Meier
>            Priority: Major
>              Labels: security
>             Fix For: 9.0.0-M3
>
>
> One of easy wins for content security policy would be a support of _nonce_ 
> for inline JavaScript header injections.
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script]
> *Criteria*
>  * Set up some kind of request unique nonce provider
>  * Make it possible for JavaScript header items to have provided nonce
>  * Add provided nonce to the `Content-Security-Policy: script-src` header
> See in code:
> org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag
> org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Reopened] (WICKET-6682) Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce

Reply via email to