This is an automated email from the ASF dual-hosted git repository.
svenmeier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
commit a1a53a9d8da0e06520ff68d58b3f4dd64d329a9f
Author: Sven Meier <svenme...@apache.org>
AuthorDate: Fri Sep 27 12:40:55 2019 +0200
WICKET-6682 CSP must use 'strict-dynamic'
to allow dynamically added JS resources
---
.../markup/head/filter/CspNonceHeaderResponse.java | 4 ++--
.../markup/head/filter/CspNoncePageExpected.html | 2 +-
.../apache/wicket/examples/csp/NonceDemoPage.html | 2 ++
.../apache/wicket/examples/csp/NonceDemoPage.java | 28 ++++++++++++++++++++++
.../apache/wicket/examples/csp/delayedVisible.css | 7 ++++++
.../apache/wicket/examples/csp/delayedVisible.js | 3 +++
6 files changed, 43 insertions(+), 3 deletions(-)
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
b/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
index 7a911ca..6376518 100644
---
a/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
+++
b/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
@@ -80,7 +80,7 @@ public class CspNonceHeaderResponse extends
DecoratingHeaderResponse
* Get the <em>Content-Security-Policy</em> (CSP).
* <p>
* There is a variety of CSP configurations, this default
implementation uses the nonce for scripts and styles
- * and allows <code>unsafe-eval</code>s (needed for Wicket Ajax).
+ * and allows <code>unsafe-eval</code> and <code>strict-dynamic</code>s
(needed for Wicket Ajax).
*
* @param nonce
* the nonce
@@ -88,6 +88,6 @@ public class CspNonceHeaderResponse extends
DecoratingHeaderResponse
*/
protected String getContentSecurityPolicy(String nonce)
{
- return String.format("script-src 'unsafe-eval' 'nonce-%1$s';
style-src 'nonce-%1$s';", nonce);
+ return String.format("script-src 'unsafe-eval' 'strict-dynamic'
'nonce-%1$s'; style-src 'nonce-%1$s';", nonce);
}
}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
index baa33ba..63c9d08 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
@@ -1,5 +1,5 @@
<html
xmlns:wicket="http://wicket.apache.org/dtds.data/wicket-xhtml1.4-strict.dtd"; >
- <head><meta http-equiv="Content-Security-Policy" content="script-src
'unsafe-eval' 'nonce-NONCE'; style-src 'nonce-NONCE';" />
+ <head><meta http-equiv="Content-Security-Policy" content="script-src
'unsafe-eval' 'strict-dynamic' 'nonce-NONCE'; style-src 'nonce-NONCE';" />
<script type="text/javascript"
src="../resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.4.1.js"
nonce="NONCE"></script>
<script type="text/javascript"
src="../resource/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/res/js/wicket-ajax-jquery.js"
nonce="NONCE"></script>
<script type="text/javascript" id="wicket-ajax-debug-enable" nonce="NONCE">
diff --git
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
index 9115256..6aab2b8 100644
---
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
+++
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
@@ -14,6 +14,8 @@
<div class="click-me-text">Click a button above to replace this text</div>
<div><wicket:message key="clickMeCount" /> <span
wicket:id="clickMeCount"></span></div>
<p></p>
+ <div wicket:id="delayedVisible" class="delayed-visible">This delayed shown
text should be green and bold</div>
+ <p></p>
<p><wicket:message key="ieDisclaimer"/></p>
<!-- Injections below will work in IE11, because IE 11 doesn't support
nonce -->
diff --git
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
index d092f8d..dce8079 100644
---
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
+++
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
@@ -22,15 +22,23 @@ import org.apache.wicket.examples.WicketExamplePage;
import org.apache.wicket.markup.head.CssHeaderItem;
import org.apache.wicket.markup.head.IHeaderResponse;
import org.apache.wicket.markup.head.JavaScriptHeaderItem;
+import org.apache.wicket.markup.html.WebMarkupContainer;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
+import org.apache.wicket.request.resource.CssResourceReference;
+import org.apache.wicket.request.resource.JavaScriptResourceReference;
+import org.apache.wicket.request.resource.ResourceReference;
/**
* Page which disallows execution of inline scripts without nonce
*/
public class NonceDemoPage extends WicketExamplePage
{
+
+ private static final ResourceReference JS_DELAYED = new
JavaScriptResourceReference(NonceDemoPage.class, "delayedVisible.js");
+ private static final ResourceReference CSS_DELAYED = new
CssResourceReference(NonceDemoPage.class, "delayedVisible.css");
+
private final IModel<Integer> clickMeCountModel = Model.of(0);
public NonceDemoPage()
@@ -38,9 +46,25 @@ public class NonceDemoPage extends WicketExamplePage
super();
add(new Label("testNonceScript", getString("testNonceScript")));
add(new Label("testNoNonceScript",
getString("testNoNonceScript")));
+
final Label clickMeCount = new Label("clickMeCount",
clickMeCountModel);
clickMeCount.setOutputMarkupId(true);
add(clickMeCount);
+
+ final WebMarkupContainer delayedVisible = new
WebMarkupContainer("delayedVisible") {
+ @Override
+ public void renderHead(IHeaderResponse response)
+ {
+ super.renderHead(response);
+
+
response.render(JavaScriptHeaderItem.forReference(JS_DELAYED));
+
response.render(CssHeaderItem.forReference(CSS_DELAYED));
+ }
+ };
+ delayedVisible.setOutputMarkupPlaceholderTag(true);
+ delayedVisible.setVisible(false);
+ add(delayedVisible);
+
add(new AjaxLink<String>("clickMe")
{
@Override
@@ -50,8 +74,12 @@ public class NonceDemoPage extends WicketExamplePage
// target.add (works even without unsafe-eval)
target.add(clickMeCount);
+
// append javascript (won't work without
unsafe-eval)
target.appendJavaScript("document.querySelector(\".click-me-text\").innerHTML =
\"replaced\";");
+
+ delayedVisible.setVisible(true);
+ target.add(delayedVisible);
}
}.setOutputMarkupId(true));
}
diff --git
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.css
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.css
new file mode 100644
index 0000000..d16b283c
--- /dev/null
+++
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.css
@@ -0,0 +1,7 @@
+.delayed-visible {
+ font-weight: bold;
+}
+
+.delayed-ready .delayed-visible {
+ color: green;
+}
diff --git
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.js
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.js
new file mode 100644
index 0000000..cc2f7eb
--- /dev/null
+++
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/delayedVisible.js
@@ -0,0 +1,3 @@
+jQuery(document).ready(function() {
+ jQuery('body').addClass('delayed-ready');
+});
