Thanks Edmond! This seems like the right opportunity to pick this ticket up. I've added it to our references :) stay tuned!
On 2020/06/05 12:56:00, Emond Papegaaij <emond.papega...@gmail.com> wrote: > Hi Santiago, > > It's always nice to get some help in maintaining Wicket. Wicket has > always been strong wrt security. That's one of the reasons why at > Topicus we use it to power our Identity and Access Management solution > called Topicus KeyHub. > > Just a few weeks ago I filed the following ticket > https://issues.apache.org/jira/browse/WICKET-6786 . Wicket already has > some form of CSRF protection, but it uses the Origin header to detect > cross-site requests. This works most of the time, but is not as > reliable as using the new fetch metadata. IMHO the current > implementation should be enhanced with support for the fetch metadata > headers, with a fallback to the old approach. I haven't had the time > to work on the implementation, but it's on my todo list. > > I must admit I did not yet know about the existence of trusted types. > I do think Wicket would be a good fit for that protection. It already > defines clear paths through which the DOM can be manipulated. > > Best regards, > Emond > > On Fri, Jun 5, 2020 at 12:38 PM Santiago Díaz > <sald...@google.com.invalid> wrote: > > > > Hello Wicket devs! > > > > Thanks for pointing out the Jira tickets that I missed! I didn't realise > > that you already have extensive CSP support. Great job on getting rid of > > both unsafe-inline & unsafe-eval! > > > > In that case, we will be shifting focus towards improving Wicket's security > > through one or more of the following security enhancements: > > > > - Protecting against DOM XSS: > > - Trusted Types is a strong protection against DOM XSS. There is a > > great primer at https://web.dev/trusted-types/ > > > > - Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing > > attacks through site isolation: > > - Fetch Metadata. See > > https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript. > > - Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/ > > > > I am somewhat familiar with ASF's general contribution guidelines but if > > you would like to point us to any resources that you think will make our > > collaboration smoother, I will be happy to share them internally. Tobias' > > suggestion on giving some additional context on challenges you've found > > sounds great. > > > > We are still at a very early stage of our project, but I will use this > > thread to keep you updated on progress & questions. > > > > Cheers! > > > > > > On Fri, Jun 5, 2020 at 12:12 PM Andrew Kondratev <and...@kondratev.pro> > > wrote: > > > > On 2020/06/05 10:09:23, Andrew Kondratev <and...@kondratev.pro> wrote: > > > >> IMO we should explain that the CSP support has been already added in > > > >> 9.x > > > >> and to close this forgotten JIRA ticket. > > > >> Then if they still think there are ways to improve the current > > > >> implementation they are very welcome to contribute! > > > > > > Martin, I did tell it first: > > > > > > >> Hi Santiago. > > > >> > > > >> The CSP support has actually improved a lot since then. > > > >> Wicket got rid of evals in the code, see here > > > https://github.com/apache/wicket/pull/384 / > > > https://issues.apache.org/jira/browse/WICKET-6703 > > > >> > > > >> How exactly are you going to boost the work and how can I personally > > > help you? > > > >> > > > >> I'll forward your question to dev@wicket.apache.org > > > >> > > > >> Cheers, > > > >> Andrew > > > > > > пт, 5 июн. 2020 г. в 18:31, Martin Grigorov <mgrigo...@apache.org>: > > > > > > > Hi, > > > > > > > > On Fri, Jun 5, 2020 at 6:17 AM Tobias Soloschenko > > > > <tobiassolosche...@googlemail.com.invalid> wrote: > > > > > > > > > Hi, > > > > > > > > > > to my opinion they just want to contribute to Wicket. I would simply > > > > > explain how the process of contribution works at ASF (PRs, etc.) and > > > > > give > > > > > them some information what challenges we were faced with till now. > > > > > > > > > > > > > IMO we should explain that the CSP support has been already added in 9.x > > > > and to close this forgotten JIRA ticket. > > > > Then if they still think there are ways to improve the current > > > > implementation they are very welcome to contribute! > > > > > > > > @Andrew feel free to point them to this discussion. One can join at > > > > > > > > https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E > > > > > > > > > > > > > > > > > > kind regards > > > > > > > > > > Tobias > > > > > > > > > > > Am 05.06.2020 um 02:18 schrieb Andrew Kondratev > > > > > > <and...@kondratev.pro > > > > >: > > > > > > > > > > > > Hi colleagues! I just received this email. Not sure what this all > > > > means. > > > > > > > > > > > > ---------- Forwarded message --------- > > > > > > От: Santiago Díaz <sald...@google.com> > > > > > > Date: чт, 4 июн. 2020 г. в 21:47 > > > > > > Subject: Contribution - CSP support for Wicket > > > > > > To: <andru...@gmail.com> > > > > > > > > > > > > > > > > > > Hello Andrew, > > > > > > > > > > > > My name is Santiago, I'm a Security Engineer at Google. I am > > > > > > currently > > > > > > making preparations to receive a small group of interns for this > > > > summer's > > > > > > Google internships and found your email during the course of my > > > > research. > > > > > > > > > > > > *Context* > > > > > > Here at Google we have a lot of experience deploying security > > > > mechanisms > > > > > > (like Content Security Policy, Trusted Types, Fetch Metadata, > > > > > Cross-Origin > > > > > > Opener Policy and others) at scale. We understand the pains of > > > > designing > > > > > > strong security policies, finding blockers for their deployment and > > > > > > locating pieces of code that need refactoring. > > > > > > > > > > > > *Why are you receiving this email?* > > > > > > For this year's internships (and considering the current global > > > > > situation) > > > > > > we would like to contribute to selected open source projects, > > > > > > bringing > > > > > some > > > > > > of our experience to *encourage adoption of some of these security > > > > > > enhancements*. Wicket is one of the projects we have shortlisted and > > > > we'd > > > > > > be happy to collaborate with you! > > > > > > > > > > > > I found out that there is an ongoing discussion over at > > > > > > https://issues.apache.org/jira/browse/WICKET-5406 to improve CSP > > > > > support in > > > > > > Wicket and that *you have been running some experiments on what that > > > > > would > > > > > > look like*. > > > > > > > > > > > > Having said that, it would be great if we could boost your work > > > > > > instead > > > > > of > > > > > > reinventing the wheel. As such, I would like to know if you'd be > > > > > > open > > > > to > > > > > > our contributions and if so, whether you'd be willing to give me > > > > > > some > > > > > > context on what has been done, what issues you've come across and > > > > whether > > > > > > you have any thoughts on what would be the best way for us to > > > > contribute. > > > > > > > > > > > > Thank you for reading and I'm looking forward to hearing from you! > > > > > > :) > > > > > > > > > > > > S. > > > > > > > > > > > > >