This is an automated email from the ASF dual-hosted git repository.
martin-g pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push:
new f25892286e WICKET-7172: Extend CSP with support for script-src-attr,
style-src-attr (#1341)
f25892286e is described below
commit f25892286e26996e6775406d587db614677307e8
Author: Kees van Dieren <[email protected]>
AuthorDate: Tue Apr 21 14:55:36 2026 +0200
WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr
(#1341)
* Add support for script-src-attr, style-src-attr
* Fixed brackets indentation
* Fixed brackets indentation
* refactor for logic condition
* Drop unsupported directive
Not listed here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
* WICKET-7172: Improve the unit tests
* Use equals() to compare the values
* Correct implementation for script-src-attributes and style-src-attributes
Support additional values from spec
Removed specific verifications
---------
Co-authored-by: Kees van Dieren <[email protected]>
Co-authored-by: Andrea Del Bene <[email protected]>
Co-authored-by: Martin Tzvetanov Grigorov <[email protected]>
Co-authored-by: Martin Grigorov <[email protected]>
---
.../java/org/apache/wicket/csp/CSPDirective.java | 14 +++--
.../apache/wicket/csp/CSPDirectiveSrcValue.java | 2 +
.../org/apache/wicket/csp/CSPDirectiveTest.java | 60 ++++++++++++++++++++++
3 files changed, 71 insertions(+), 5 deletions(-)
diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
index 235358a02f..e21275ee54 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
@@ -35,7 +35,11 @@ public enum CSPDirective
{
DEFAULT_SRC("default-src"),
SCRIPT_SRC("script-src"),
+ SCRIPT_SRC_ATTR("script-src-attr"),
+ SCRIPT_SRC_ELEM("script-src-elem"),
STYLE_SRC("style-src"),
+ STYLE_SRC_ATTR("style-src-attr"),
+ STYLE_SRC_ELEM("style-src-elem"),
IMG_SRC("img-src"),
CONNECT_SRC("connect-src"),
FONT_SRC("font-src"),
@@ -121,7 +125,7 @@ public enum CSPDirective
}
};
- private String value;
+ private final String value;
CSPDirective(String value)
{
@@ -135,7 +139,7 @@ public enum CSPDirective
/**
* Check if {@code value} can be added to the list of other values. By
default, it checks for
- * conflicts with wildcards and none and it checks if values are valid
uris.
+ * conflicts with wildcards and none, and it checks if values are valid
uris.
*
* @param value
* The value to add.
@@ -185,11 +189,11 @@ public enum CSPDirective
{
return null;
}
- for (int i = 0; i < values().length; i++)
+ for (CSPDirective directive : values())
{
- if (value.equals(values()[i].getValue()))
+ if (value.equals(directive.getValue()))
{
- return values()[i];
+ return directive;
}
}
return null;
diff --git
a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
index f2398001c1..86f6c6e50d 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirectiveSrcValue.java
@@ -28,7 +28,9 @@ public enum CSPDirectiveSrcValue implements CSPRenderable
SELF("'self'"),
UNSAFE_INLINE("'unsafe-inline'"),
UNSAFE_EVAL("'unsafe-eval'"),
+ UNSAFE_HASHES("'unsafe-hashes'"),
STRICT_DYNAMIC("'strict-dynamic'"),
+ REPORT_SAMPLE("'report-sample'"),
NONCE("'nonce-%1$s'")
{
@Override
diff --git
a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java
b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java
new file mode 100644
index 0000000000..dcc1ce6013
--- /dev/null
+++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.csp;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class CSPDirectiveTest {
+
+ @Test
+ void scriptSrcAttrAndStyleSrcAttributesSupportValuesFromSpec()
+ {
+
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE,
List.of());
+
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE,
List.of());
+
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_HASHES,
List.of());
+
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.REPORT_SAMPLE,
List.of());
+
+
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE,
List.of());
+
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE,
List.of());
+
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_HASHES,
List.of());
+
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.REPORT_SAMPLE,
List.of());
+ }
+
+ @Test
+ void scriptSrcAttrAndStyleSrcAttributesDoesNotSupportOthersAndNone()
+ {
+ assertThrows(IllegalArgumentException.class, () ->
+
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE,
List.of(CSPDirectiveSrcValue.UNSAFE_INLINE)));
+
+ assertThrows(IllegalArgumentException.class, () ->
+
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE,
List.of(CSPDirectiveSrcValue.UNSAFE_HASHES)));
+ }
+
+ @Test
+ void scriptSrcAttrAndStyleSrcAttributesDoesNotSupportNoneAndOthers()
+ {
+ assertThrows(IllegalArgumentException.class, () ->
+
CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE,
List.of(CSPDirectiveSrcValue.NONE)));
+
+ assertThrows(IllegalArgumentException.class, () ->
+
CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_HASHES,
List.of(CSPDirectiveSrcValue.NONE)));
+ }
+}