This is an automated email from the ASF dual-hosted git repository.

martin-g pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/master by this push:
     new f25892286e WICKET-7172: Extend CSP with support for script-src-attr, 
style-src-attr (#1341)
f25892286e is described below

commit f25892286e26996e6775406d587db614677307e8
Author: Kees van Dieren <[email protected]>
AuthorDate: Tue Apr 21 14:55:36 2026 +0200

    WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr 
(#1341)
    
    * Add support for script-src-attr, style-src-attr
    
    * Fixed brackets indentation
    
    * Fixed brackets indentation
    
    * refactor for logic condition
    
    * Drop unsupported directive
    
    Not listed here: 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
    
    * WICKET-7172: Improve the unit tests
    
    * Use equals() to compare the values
    
    * Correct implementation for script-src-attributes and style-src-attributes
    
    Support additional values from spec
    
    Removed specific verifications
    
    ---------
    
    Co-authored-by: Kees van Dieren <[email protected]>
    Co-authored-by: Andrea Del Bene <[email protected]>
    Co-authored-by: Martin Tzvetanov Grigorov <[email protected]>
    Co-authored-by: Martin Grigorov <[email protected]>
---
 .../java/org/apache/wicket/csp/CSPDirective.java   | 14 +++--
 .../apache/wicket/csp/CSPDirectiveSrcValue.java    |  2 +
 .../org/apache/wicket/csp/CSPDirectiveTest.java    | 60 ++++++++++++++++++++++
 3 files changed, 71 insertions(+), 5 deletions(-)

diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java 
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
index 235358a02f..e21275ee54 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
@@ -35,7 +35,11 @@ public enum CSPDirective
 {
        DEFAULT_SRC("default-src"),
        SCRIPT_SRC("script-src"),
+       SCRIPT_SRC_ATTR("script-src-attr"),
+       SCRIPT_SRC_ELEM("script-src-elem"),
        STYLE_SRC("style-src"),
+       STYLE_SRC_ATTR("style-src-attr"),
+       STYLE_SRC_ELEM("style-src-elem"),
        IMG_SRC("img-src"),
        CONNECT_SRC("connect-src"),
        FONT_SRC("font-src"),
@@ -121,7 +125,7 @@ public enum CSPDirective
                }
        };
 
-       private String value;
+       private final String value;
 
        CSPDirective(String value)
        {
@@ -135,7 +139,7 @@ public enum CSPDirective
 
        /**
         * Check if {@code value} can be added to the list of other values. By 
default, it checks for
-        * conflicts with wildcards and none and it checks if values are valid 
uris.
+        * conflicts with wildcards and none, and it checks if values are valid 
uris.
         *
         * @param value
         *            The value to add.
@@ -185,11 +189,11 @@ public enum CSPDirective
                {
                        return null;
                }
-               for (int i = 0; i < values().length; i++)
+               for (CSPDirective directive : values())
                {
-                       if (value.equals(values()[i].getValue()))
+                       if (value.equals(directive.getValue()))
                        {
-                               return values()[i];
+                               return directive;
                        }
                }
                return null;
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java 
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
index f2398001c1..86f6c6e50d 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
@@ -28,7 +28,9 @@ public enum CSPDirectiveSrcValue implements CSPRenderable
        SELF("'self'"),
        UNSAFE_INLINE("'unsafe-inline'"),
        UNSAFE_EVAL("'unsafe-eval'"),
+       UNSAFE_HASHES("'unsafe-hashes'"),
        STRICT_DYNAMIC("'strict-dynamic'"),
+       REPORT_SAMPLE("'report-sample'"),
        NONCE("'nonce-%1$s'")
        {
                @Override
diff --git 
a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java 
b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java
new file mode 100644
index 0000000000..dcc1ce6013
--- /dev/null
+++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.csp;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class CSPDirectiveTest {
+
+    @Test
+    void scriptSrcAttrAndStyleSrcAttributesSupportValuesFromSpec()
+    {
+        
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, 
List.of());
+        
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE,
 List.of());
+        
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_HASHES,
 List.of());
+        
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.REPORT_SAMPLE,
 List.of());
+
+        
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, 
List.of());
+        
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE,
 List.of());
+        
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_HASHES,
 List.of());
+        
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.REPORT_SAMPLE,
 List.of());
+    }
+
+    @Test
+    void scriptSrcAttrAndStyleSrcAttributesDoesNotSupportOthersAndNone()
+    {
+        assertThrows(IllegalArgumentException.class, () ->
+                
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, 
List.of(CSPDirectiveSrcValue.UNSAFE_INLINE)));
+
+        assertThrows(IllegalArgumentException.class, () ->
+                
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, 
List.of(CSPDirectiveSrcValue.UNSAFE_HASHES)));
+    }
+
+    @Test
+    void scriptSrcAttrAndStyleSrcAttributesDoesNotSupportNoneAndOthers()
+    {
+        assertThrows(IllegalArgumentException.class, () ->
+                
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE,
 List.of(CSPDirectiveSrcValue.NONE)));
+
+        assertThrows(IllegalArgumentException.class, () ->
+                
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_HASHES,
 List.of(CSPDirectiveSrcValue.NONE)));
+    }
+}

Reply via email to