[ https://issues.apache.org/jira/browse/WICKET-6682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939412#comment-16939412 ]
ASF subversion and git services commented on WICKET-6682: --------------------------------------------------------- Commit a1a53a9d8da0e06520ff68d58b3f4dd64d329a9f in wicket's branch refs/heads/master from Sven Meier [ https://gitbox.apache.org/repos/asf?p=wicket.git;h=a1a53a9 ] WICKET-6682 CSP must use 'strict-dynamic' to allow dynamically added JS resources > Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce > ------------------------------------------------------------------------ > > Key: WICKET-6682 > URL: https://issues.apache.org/jira/browse/WICKET-6682 > Project: Wicket > Issue Type: Improvement > Components: wicket > Affects Versions: 8.5.0, 9.0.0-M2 > Reporter: Andrew Kondratev > Assignee: Sven Meier > Priority: Major > Labels: security > Fix For: 9.0.0-M3 > > > One of easy wins for content security policy would be a support of _nonce_ > for inline JavaScript header injections. > [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script] > *Criteria* > * Set up some kind of request unique nonce provider > * Make it possible for JavaScript header items to have provided nonce > * Add provided nonce to the `Content-Security-Policy: script-src` header > See in code: > org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag > org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render -- This message was sent by Atlassian Jira (v8.3.4#803005)