>> IMO we should explain that the CSP support has been already added in 9.x >> and to close this forgotten JIRA ticket. >> Then if they still think there are ways to improve the current >> implementation they are very welcome to contribute!
Martin, I did tell it first: >> Hi Santiago. >> >> The CSP support has actually improved a lot since then. >> Wicket got rid of evals in the code, see here https://github.com/apache/wicket/pull/384 / https://issues.apache.org/jira/browse/WICKET-6703 >> >> How exactly are you going to boost the work and how can I personally help you? >> >> I'll forward your question to dev@wicket.apache.org >> >> Cheers, >> Andrew пт, 5 июн. 2020 г. в 18:31, Martin Grigorov <mgrigo...@apache.org>: > Hi, > > On Fri, Jun 5, 2020 at 6:17 AM Tobias Soloschenko > <tobiassolosche...@googlemail.com.invalid> wrote: > > > Hi, > > > > to my opinion they just want to contribute to Wicket. I would simply > > explain how the process of contribution works at ASF (PRs, etc.) and give > > them some information what challenges we were faced with till now. > > > > IMO we should explain that the CSP support has been already added in 9.x > and to close this forgotten JIRA ticket. > Then if they still think there are ways to improve the current > implementation they are very welcome to contribute! > > @Andrew feel free to point them to this discussion. One can join at > > https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E > > > > > > kind regards > > > > Tobias > > > > > Am 05.06.2020 um 02:18 schrieb Andrew Kondratev <and...@kondratev.pro > >: > > > > > > Hi colleagues! I just received this email. Not sure what this all > means. > > > > > > ---------- Forwarded message --------- > > > От: Santiago Díaz <sald...@google.com> > > > Date: чт, 4 июн. 2020 г. в 21:47 > > > Subject: Contribution - CSP support for Wicket > > > To: <andru...@gmail.com> > > > > > > > > > Hello Andrew, > > > > > > My name is Santiago, I'm a Security Engineer at Google. I am currently > > > making preparations to receive a small group of interns for this > summer's > > > Google internships and found your email during the course of my > research. > > > > > > *Context* > > > Here at Google we have a lot of experience deploying security > mechanisms > > > (like Content Security Policy, Trusted Types, Fetch Metadata, > > Cross-Origin > > > Opener Policy and others) at scale. We understand the pains of > designing > > > strong security policies, finding blockers for their deployment and > > > locating pieces of code that need refactoring. > > > > > > *Why are you receiving this email?* > > > For this year's internships (and considering the current global > > situation) > > > we would like to contribute to selected open source projects, bringing > > some > > > of our experience to *encourage adoption of some of these security > > > enhancements*. Wicket is one of the projects we have shortlisted and > we'd > > > be happy to collaborate with you! > > > > > > I found out that there is an ongoing discussion over at > > > https://issues.apache.org/jira/browse/WICKET-5406 to improve CSP > > support in > > > Wicket and that *you have been running some experiments on what that > > would > > > look like*. > > > > > > Having said that, it would be great if we could boost your work instead > > of > > > reinventing the wheel. As such, I would like to know if you'd be open > to > > > our contributions and if so, whether you'd be willing to give me some > > > context on what has been done, what issues you've come across and > whether > > > you have any thoughts on what would be the best way for us to > contribute. > > > > > > Thank you for reading and I'm looking forward to hearing from you! :) > > > > > > S. > > >
