Hi Martin and Sebastien, I see no need for checking if CSP is enabled or not. It is not hard to write your code to comply to even the strictest CSP. If it works with the strict CSP, it will also work when CSP is disabled or with a less strict CSP. Simply follow the few rules explained in the user guide. Note that if your library needs to check if a nonce is required, this is already supported, see ContentSecurityPolicyEnforcer.isNonceEnabled().
Our application uses WiQuery and several other frameworks, and I only had to make minor changes to make this application fully compliant with the strict CSP. No changes were required to WiQuery. A small change is required to the ChartJS library we use (https://github.com/haster/java-chartjs) because ChartJS tries to insert a stylesheet into the head. This stylesheet has to be rendered via Wicket to get the nonce. Best regards, Emond On Thu, Feb 27, 2020 at 2:00 PM Sebastien Briquet <sbriq...@apache.org> wrote: > > Hi Martin, > > Actually that's a good point! I will try to upgrade Wicket jQuery UI to > wicket 9/CSP to see how it behaves... > > Thanks and best regards, > Sebastien
