Sebastian T created WICKET-7096:
-----------------------------------
Summary: stylesheets referenced via automatic linking miss nonce
attribute
Key: WICKET-7096
URL: https://issues.apache.org/jira/browse/WICKET-7096
Project: Wicket
Issue Type: Bug
Components: wicket-core
Affects Versions: 10.0.0-M2
Reporter: Sebastian T
I am running a Wicket App with:
{code:java}
getCspSettings().blocking();
getMarkupSettings().setAutomaticLinking(true);
{code}
I have a base.css file in the same folder as the Wicket page and add it to html
like this:
{code:html}
<link rel="stylesheet" href="base.css" type="text/css" />
{code}
This is rendered by wicket to
{code:html}
<link rel="stylesheet"
href="./wicket/resource/com.example.MyPage/base-ver-1705259207805.css"
type="text/css" data-wicket-path="html___autolink__-1754779463"/>
{code}
This result in:
{noformat}
Content-Security-Policy: The page’s settings blocked the loading of a resource
at
http://localhost:8080/wicket/resource/com.example.MyPage/base-ver-1705259207805.css
(“style-src”).
{noformat}
-----------------
If I however add the stylesheet programmatically like this:
{code:java}
public void renderHead(final IHeaderResponse response) {
super.renderHead(response);
response.render(CssHeaderItem.forReference(new
CssResourceReference(MyPage.class, "base.css")));
}
{code}
the required nonce is added as expected:
{code:html}
<link rel="stylesheet"
href="./wicket/resource/com.example.MyPage/base-ver-1705259207805.css"
type="text/css" nonce="Fkg6q7ZOaX_uLN6aFESVwZVM" />
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
