This is an automated email from the ASF dual-hosted git repository. svenmeier pushed a commit to branch WICKET-6821-disable-CSP in repository https://gitbox.apache.org/repos/asf/wicket.git
commit f1f95dd92e6c559cf5243fdf59e1ec20821df2c0 Author: Sven Meier <svenme...@apache.org> AuthorDate: Thu Aug 27 19:49:18 2020 +0200 WICKET-6821 disabled CSP --- .../wicket/csp/ContentSecurityPolicySettings.java | 8 ++++++++ .../wicket/protocol/http/WebApplication.java | 6 ++++-- .../csp/CSPSettingRequestCycleListenerTest.java | 23 +++++++++++++++++----- .../head/filter/FilteringHeaderResponseTest.java | 6 ++++++ 4 files changed, 36 insertions(+), 7 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java index a768055..7bd1bdd 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java @@ -183,4 +183,12 @@ public class ContentSecurityPolicySettings .add(response -> new CSPNonceHeaderResponseDecorator(response, this)); application.mount(new ReportCSPViolationMapper(this)); } + + /** + * Is CSP enabled. + */ + public boolean isEnabled() + { + return configs.values().stream().anyMatch(CSPHeaderConfiguration::isSet); + } } diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java index 22dcc71..d38cadf 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java @@ -760,8 +760,6 @@ public abstract class WebApplication extends Application getAjaxRequestTargetListeners().add(new AjaxEnclosureListener()); - getCspSettings().enforce(this); - // Configure the app. configure(); if (getConfigurationType() == RuntimeConfigurationType.DEVELOPMENT) @@ -782,6 +780,10 @@ public abstract class WebApplication extends Application { super.validateInit(); + if (getCspSettings().isEnabled()) { + getCspSettings().enforce(this); + } + // enable coop and coep listeners if specified in security settings CrossOriginOpenerPolicyConfiguration coopConfig = getSecuritySettings() .getCrossOriginOpenerPolicyConfiguration(); diff --git a/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java index 9679cbc..08a4d36 100644 --- a/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java @@ -37,21 +37,34 @@ import java.util.Set; import java.util.stream.Collectors; import java.util.stream.Stream; -import org.apache.wicket.mock.MockHomePage; +import org.apache.wicket.mock.MockApplication; import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.cycle.RequestCycle; import org.apache.wicket.util.tester.DummyHomePage; import org.apache.wicket.util.tester.WicketTestCase; -import org.apache.wicket.util.tester.WicketTester; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; public class CSPSettingRequestCycleListenerTest extends WicketTestCase { - @Override - protected WicketTester newWicketTester(WebApplication app) + @Override + protected WebApplication newApplication() { - return new WicketTester(MockHomePage.class); + return new MockApplication() + { + @Override + protected ContentSecurityPolicySettings newCspSettings() + { + return new ContentSecurityPolicySettings(this) + { + @Override + public boolean isEnabled() + { + return true; + } + }; + } + }; } @Test diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java index 8adfa94..34c6d8a 100644 --- a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java @@ -53,6 +53,12 @@ class FilteringHeaderResponseTest extends WicketTestCase { return "NONCE"; } + + @Override + public boolean isEnabled() + { + return true; + } }; } };