[ https://issues.apache.org/jira/browse/WICKET-7092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17802878#comment-17802878 ]
Emond Papegaaij commented on WICKET-7092: ----------------------------------------- This seems like a bug in the tool used to check the application. The [specification|https://www.w3.org/TR/CSP3/#framework-directive-source-list] says: {code} nonce-source = "'nonce-" base64-value "'" base64-value = 1*( ALPHA / DIGIT / "+" / "/" / "-" / "_" )*2( "=" ) {code} The nonce in your example is {{nonce-QmsK_uBjkJ84B3bGJIXLqMEs}}, which does conform to the specification. > Content Security Policy 'Nonces should only use the base64 charset' > ------------------------------------------------------------------- > > Key: WICKET-7092 > URL: https://issues.apache.org/jira/browse/WICKET-7092 > Project: Wicket > Issue Type: Bug > Components: wicket-core > Affects Versions: 9.16.0 > Environment: Kali Linux > Reporter: sundar > Priority: Minor > Attachments: image-20240103-092246.png > > > Hi all, I applied a strict content security policy to my application using > wicket after I tested my application using Kali Linux to check for > vulnerabilities. The tool provides the report with an info message "Nonces > should only use the base64 charset" regarding the info message needed to > configure any properties in CSP. I attached the report screenshot -- This message was sent by Atlassian Jira (v8.20.10#820010)