[
https://issues.apache.org/jira/browse/WICKET-7092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17802878#comment-17802878
]
Emond Papegaaij commented on WICKET-7092:
-----------------------------------------
This seems like a bug in the tool used to check the application. The
[specification|https://www.w3.org/TR/CSP3/#framework-directive-source-list]
says:
{code}
nonce-source = "'nonce-" base64-value "'"
base64-value = 1*( ALPHA / DIGIT / "+" / "/" / "-" / "_" )*2( "=" )
{code}
The nonce in your example is {{nonce-QmsK_uBjkJ84B3bGJIXLqMEs}}, which does
conform to the specification.
> Content Security Policy 'Nonces should only use the base64 charset'
> -------------------------------------------------------------------
>
> Key: WICKET-7092
> URL: https://issues.apache.org/jira/browse/WICKET-7092
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 9.16.0
> Environment: Kali Linux
> Reporter: sundar
> Priority: Minor
> Attachments: image-20240103-092246.png
>
>
> Hi all, I applied a strict content security policy to my application using
> wicket after I tested my application using Kali Linux to check for
> vulnerabilities. The tool provides the report with an info message "Nonces
> should only use the base64 charset" regarding the info message needed to
> configure any properties in CSP. I attached the report screenshotÂ
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
