Re: Security Check of Mozilla / Wicket implementation
Hi, I just took one of the callbacks and thought that it is more save to add the headers at to the end of the request cycle. There is actually no concrete cause why onEndRequest. kind regards Tobias > Am 28.08.2016 um 23:57 schrieb Carl-Eric Menzel: > > Hi Tobias, > > thanks for collecting the headers, that saves me the effort :-) I know > it's easy to write, I was just suggesting we add something like this to > Wicket itself. I'll see whether I can come up with something simple and > flexible enough. > > One question: Why onEndRequest? > > Carl-Eric > > On Sun, 28 Aug 2016 15:52:32 +0200 > Tobias Soloschenko wrote: > >> Hi, >> >> you are able to implement the security headers in a very easy way. >> See: >> >> Mozilla tool to check web security: https://observatory.mozilla.org/ >> >> Demo wicket application (might be down or change after a while): >> https://wicketsecurity-klopfdreh.rhcloud.com/ >> >> The test: >> https://observatory.mozilla.org/analyze.html?host=wicketsecurity-klopfdreh.rhcloud.com >> >> The implementation within your Wicket Application: >> >> @Override >> protected void init() >> { >> super.init(); >> >> getRequestCycleListeners().add(new >> AbstractRequestCycleListener(){ @Override >> public void onEndRequest(RequestCycle cycle) >> { >> ((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1; >> mode=block"); >> ((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security", >> "max-age=31536000; includeSubDomains; preload"); >> ((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options", >> "nosniff"); >> ((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", >> "DENY"); >> ((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy", >> "default-src https:"); // Google "for Content-Security-Policy" to >> allow more domains } >> }); >> } >> >> The result: >> A- << (because of redirection settings of tomcat - I >> was not able to change them that fast) >> >> To get A just enable a server redirect like mentioned here: >> >> https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections >> >> kind regards >> >> Tobias >> >>> Am 28.08.16 um 10:28 schrieb Carl-Eric Menzel: >>> I think it would be a good idea to have something like this as an >>> option in Wicket. Something to turn on with a one-liner for the >>> application. There are a bunch of these headers that are useful, >>> plus I recently came across this: >>> >>> https://dev.to/ben/the-targetblank-vulnerability-by-example >>> >>> Should we perhaps also add something that adds the rel="noopener" >>> attribute to links with target="_blank"? >>> >>> I'm all for making these security things as easy as possible for the >>> developer. >>> >>> Carl-Eric >>> >>> On Sat, 27 Aug 2016 18:08:36 +0200 >>> Martin Grigorov wrote: >>> Hi, We use Spring Security in all our applications. It adds these response headers for free. Any other Servlet Filter could do the same but I don't mind adding facilities in Wicket too. Btw one of the security experts from OWASP audited our applications in the last few weeks. Although he've found few problems here and there he said very nice words for Wicket! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < tobiassolosche...@googlemail.com> wrote: > Hi, > > Mozilla just made a tool public which allows to scan websites for > security risks. Maybe we can somehow add a default set of headers > to the page rendering of Wicket / apply other security relevant > implementations. Or we are able to make them at least optional: > > https://observatory.mozilla.org > > Example header: > > https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection > > What so you think about that idea? > > kind regards > > Tobias >
Re: Security Check of Mozilla / Wicket implementation
Hi Tobias, thanks for collecting the headers, that saves me the effort :-) I know it's easy to write, I was just suggesting we add something like this to Wicket itself. I'll see whether I can come up with something simple and flexible enough. One question: Why onEndRequest? Carl-Eric On Sun, 28 Aug 2016 15:52:32 +0200 Tobias Soloschenkowrote: > Hi, > > you are able to implement the security headers in a very easy way. > See: > > Mozilla tool to check web security: https://observatory.mozilla.org/ > > Demo wicket application (might be down or change after a while): > https://wicketsecurity-klopfdreh.rhcloud.com/ > > The test: > https://observatory.mozilla.org/analyze.html?host=wicketsecurity-klopfdreh.rhcloud.com > > The implementation within your Wicket Application: > > @Override > protected void init() > { > super.init(); > > getRequestCycleListeners().add(new > AbstractRequestCycleListener(){ @Override > public void onEndRequest(RequestCycle cycle) > { > ((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1; > mode=block"); > ((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security", > "max-age=31536000; includeSubDomains; preload"); > ((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options", > "nosniff"); > ((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", > "DENY"); > ((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy", > "default-src https:"); // Google "for Content-Security-Policy" to > allow more domains } > }); > } > > The result: >> A- << (because of redirection settings of tomcat - I > was not able to change them that fast) > > To get A just enable a server redirect like mentioned here: > > https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections > > kind regards > > Tobias > > Am 28.08.16 um 10:28 schrieb Carl-Eric Menzel: > > I think it would be a good idea to have something like this as an > > option in Wicket. Something to turn on with a one-liner for the > > application. There are a bunch of these headers that are useful, > > plus I recently came across this: > > > > https://dev.to/ben/the-targetblank-vulnerability-by-example > > > > Should we perhaps also add something that adds the rel="noopener" > > attribute to links with target="_blank"? > > > > I'm all for making these security things as easy as possible for the > > developer. > > > > Carl-Eric > > > > On Sat, 27 Aug 2016 18:08:36 +0200 > > Martin Grigorov wrote: > > > >> Hi, > >> > >> We use Spring Security in all our applications. > >> It adds these response headers for free. > >> > >> Any other Servlet Filter could do the same but I don't mind adding > >> facilities in Wicket too. > >> > >> Btw one of the security experts from OWASP audited our applications > >> in the last few weeks. Although he've found few problems here and > >> there he said very nice words for Wicket! > >> > >> Martin Grigorov > >> Wicket Training and Consulting > >> https://twitter.com/mtgrigorov > >> > >> On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < > >> tobiassolosche...@googlemail.com> wrote: > >> > >>> Hi, > >>> > >>> Mozilla just made a tool public which allows to scan websites for > >>> security risks. Maybe we can somehow add a default set of headers > >>> to the page rendering of Wicket / apply other security relevant > >>> implementations. Or we are able to make them at least optional: > >>> > >>> https://observatory.mozilla.org > >>> > >>> Example header: > >>> > >>> https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection > >>> > >>> What so you think about that idea? > >>> > >>> kind regards > >>> > >>> Tobias >
Fwd: Re: Security Check of Mozilla / Wicket implementation
Hi, woops it is now A+ because of this in the web.xml: Entire Application /* CONFIDENTIAL kind regards Tobias Weitergeleitete Nachricht Betreff:Re: Security Check of Mozilla / Wicket implementation Datum: Sun, 28 Aug 2016 15:52:32 +0200 Von:Tobias SoloschenkoAn: dev@wicket.apache.org Hi, you are able to implement the security headers in a very easy way. See: Mozilla tool to check web security: https://observatory.mozilla.org/ Demo wicket application (might be down or change after a while): https://wicketsecurity-klopfdreh.rhcloud.com/ The test: https://observatory.mozilla.org/analyze.html?host=wicketsecurity-klopfdreh.rhcloud.com The implementation within your Wicket Application: @Override protected void init() { super.init(); getRequestCycleListeners().add(new AbstractRequestCycleListener(){ @Override public void onEndRequest(RequestCycle cycle) { ((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1; mode=block"); ((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); ((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options", "nosniff"); ((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", "DENY"); ((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy", "default-src https:"); // Google "for Content-Security-Policy" to allow more domains } }); } The result: >> A- << (because of redirection settings of tomcat - I was not able to change them that fast) To get A just enable a server redirect like mentioned here: https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections kind regards Tobias Am 28.08.16 um 10:28 schrieb Carl-Eric Menzel: I think it would be a good idea to have something like this as an option in Wicket. Something to turn on with a one-liner for the application. There are a bunch of these headers that are useful, plus I recently came across this: https://dev.to/ben/the-targetblank-vulnerability-by-example Should we perhaps also add something that adds the rel="noopener" attribute to links with target="_blank"? I'm all for making these security things as easy as possible for the developer. Carl-Eric On Sat, 27 Aug 2016 18:08:36 +0200 Martin Grigorov wrote: Hi, We use Spring Security in all our applications. It adds these response headers for free. Any other Servlet Filter could do the same but I don't mind adding facilities in Wicket too. Btw one of the security experts from OWASP audited our applications in the last few weeks. Although he've found few problems here and there he said very nice words for Wicket! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < tobiassolosche...@googlemail.com> wrote: Hi, Mozilla just made a tool public which allows to scan websites for security risks. Maybe we can somehow add a default set of headers to the page rendering of Wicket / apply other security relevant implementations. Or we are able to make them at least optional: https://observatory.mozilla.org Example header: https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection What so you think about that idea? kind regards Tobias
Re: Security Check of Mozilla / Wicket implementation
Hi, you are able to implement the security headers in a very easy way. See: Mozilla tool to check web security: https://observatory.mozilla.org/ Demo wicket application (might be down or change after a while): https://wicketsecurity-klopfdreh.rhcloud.com/ The test: https://observatory.mozilla.org/analyze.html?host=wicketsecurity-klopfdreh.rhcloud.com The implementation within your Wicket Application: @Override protected void init() { super.init(); getRequestCycleListeners().add(new AbstractRequestCycleListener(){ @Override public void onEndRequest(RequestCycle cycle) { ((WebResponse)cycle.getResponse()).setHeader("X-XSS-Protection", "1; mode=block"); ((WebResponse)cycle.getResponse()).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); ((WebResponse)cycle.getResponse()).setHeader("X-Content-Type-Options", "nosniff"); ((WebResponse)cycle.getResponse()).setHeader("X-Frame-Options", "DENY"); ((WebResponse)cycle.getResponse()).setHeader("Content-Security-Policy", "default-src https:"); // Google "for Content-Security-Policy" to allow more domains } }); } The result: >> A- << (because of redirection settings of tomcat - I was not able to change them that fast) To get A just enable a server redirect like mentioned here: https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections kind regards Tobias Am 28.08.16 um 10:28 schrieb Carl-Eric Menzel: I think it would be a good idea to have something like this as an option in Wicket. Something to turn on with a one-liner for the application. There are a bunch of these headers that are useful, plus I recently came across this: https://dev.to/ben/the-targetblank-vulnerability-by-example Should we perhaps also add something that adds the rel="noopener" attribute to links with target="_blank"? I'm all for making these security things as easy as possible for the developer. Carl-Eric On Sat, 27 Aug 2016 18:08:36 +0200 Martin Grigorovwrote: Hi, We use Spring Security in all our applications. It adds these response headers for free. Any other Servlet Filter could do the same but I don't mind adding facilities in Wicket too. Btw one of the security experts from OWASP audited our applications in the last few weeks. Although he've found few problems here and there he said very nice words for Wicket! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < tobiassolosche...@googlemail.com> wrote: Hi, Mozilla just made a tool public which allows to scan websites for security risks. Maybe we can somehow add a default set of headers to the page rendering of Wicket / apply other security relevant implementations. Or we are able to make them at least optional: https://observatory.mozilla.org Example header: https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection What so you think about that idea? kind regards Tobias
Re: Fragment's markup identifier change proposals for Wicket 8
Oh, good point. Indeed my first idea is pretty much not possible [1]. I meant the snippet with concrete subclasses only to illustrate the idea since fragments can be created even without a Fragment subclass. My point here is that even the Fragment being a concrete class, it still is an abstract Wicket markup container. A concrete Wicket markup container has an associated markup. When we associate the a markup to a Fragment, we are creating a concrete Wicket type, and this type needs a name. Therefore the importance I see in to keeping the "type" word in the identifier attribute. Regarding the attribute namespace, I'm +1 to default it to Wicket's namespece (like the "key" attribute in wicket:message tag usually defaults) rather than to explicitly write the namespace. e.g.: Given the .java ... add(new Fragment("myId", "MyFragment", this); ... I would prefer the following usage in the .xhtml ... ... rather than ... ... 1 - https://www.w3.org/TR/REC-xml/#id Pedro Santos On Sun, Aug 28, 2016 at 4:34 AM, Martin Grigorovwrote: > Hi Pedro, > > In both examples you make the assumption that there is a concrete class > extending from Fragment. > As with many other cases in Wicket it is quite common to use anonymous > inner class: return new Fragment(...) {} > In this case the name/id would be something like "MyContainer$1" which is > not so nice and more importantly it is not stable! It will change as soon > as another anonymous inner class is added before the Fragment. > > My personal preference would be: wicket:name="myCustomFragmentName"> > > The problem that I see with is that 'id' has a > special meaning in XML - it has to be unique in the document. > Most of the time s are defined as top-level elements in > MyPanel.html and have unique (wicket:)ids but it is perfectly fine to have > something like: > > > > > > > > > > > . > > > > > In this case any XML validation tool will complain that there are two > elements with the same id. The IDE as well. > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Sun, Aug 28, 2016 at 7:28 AM, Pedro Santos wrote: > > > Hi devs, > > > > the "wicket:id" tag attribute is commonly used to identify Component's > > instances and its markup, and IMO it should be reserved to this end for > > clarity. > > > > While fragment's markup is identified by the "associatedMarkupId" > attribute > > inside the Fragment class, its associated markup is identified by the tag > > attribute "wicket:id" in the "wicket:fragment" tag. This new case of an > > associated markup being identified for a type rather than an instance > would > > benefit from a new identifier name. Therefore some proposals. > > > > 1 - Without changing the Fragment class, a natural tag attribute > identifier > > would "wicket:markup-id", matching the class attribute name. Since the > > identifier is already inside a markup, even more natural would be: > > "wicket:id" (yeah, I know). Given that we are already inside a tag in > > Wicket's namespace, a simpler identifier would be: "id". > > > > So instead of the current fragment definition: > > > > class MyFragment extends Fragment { > > ... > > super(id, "myFragmentMarkupId", markupContainer); > > ... > > } > > > > > > We would have: > > > > > > > > 2 - To change Fragment's "associatedMarkupId" attribute to "typeName". > Even > > if the user chooses to not specialize the Fragment class by creating a > > subclass of it, conceptually he is still specializing the markup > container > > when associating a markup to it. Following the same > logic,"wicket:fragment" > > tag's identifier attribute would be: "type-name". So we would have: > > > > class MyFragment extends Fragment { > > ... > > super(id, MyFragment.class.getSimpleName(), markupContainer); > > ... > > } > > > > > > What are your thought? > > > > Cheers > > > > Pedro Santos > > >
Re: Security Check of Mozilla / Wicket implementation
I think it would be a good idea to have something like this as an option in Wicket. Something to turn on with a one-liner for the application. There are a bunch of these headers that are useful, plus I recently came across this: https://dev.to/ben/the-targetblank-vulnerability-by-example Should we perhaps also add something that adds the rel="noopener" attribute to links with target="_blank"? I'm all for making these security things as easy as possible for the developer. Carl-Eric On Sat, 27 Aug 2016 18:08:36 +0200 Martin Grigorovwrote: > Hi, > > We use Spring Security in all our applications. > It adds these response headers for free. > > Any other Servlet Filter could do the same but I don't mind adding > facilities in Wicket too. > > Btw one of the security experts from OWASP audited our applications > in the last few weeks. Although he've found few problems here and > there he said very nice words for Wicket! > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Sat, Aug 27, 2016 at 6:01 PM, Tobias Soloschenko < > tobiassolosche...@googlemail.com> wrote: > > > Hi, > > > > Mozilla just made a tool public which allows to scan websites for > > security risks. Maybe we can somehow add a default set of headers > > to the page rendering of Wicket / apply other security relevant > > implementations. Or we are able to make them at least optional: > > > > https://observatory.mozilla.org > > > > Example header: > > > > https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection > > > > What so you think about that idea? > > > > kind regards > > > > Tobias
Re: Fragment's markup identifier change proposals for Wicket 8
Hi Pedro, In both examples you make the assumption that there is a concrete class extending from Fragment. As with many other cases in Wicket it is quite common to use anonymous inner class: return new Fragment(...) {} In this case the name/id would be something like "MyContainer$1" which is not so nice and more importantly it is not stable! It will change as soon as another anonymous inner class is added before the Fragment. My personal preference would be: The problem that I see with is that 'id' has a special meaning in XML - it has to be unique in the document. Most of the time s are defined as top-level elements in MyPanel.html and have unique (wicket:)ids but it is perfectly fine to have something like:. In this case any XML validation tool will complain that there are two elements with the same id. The IDE as well. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Sun, Aug 28, 2016 at 7:28 AM, Pedro Santos wrote: > Hi devs, > > the "wicket:id" tag attribute is commonly used to identify Component's > instances and its markup, and IMO it should be reserved to this end for > clarity. > > While fragment's markup is identified by the "associatedMarkupId" attribute > inside the Fragment class, its associated markup is identified by the tag > attribute "wicket:id" in the "wicket:fragment" tag. This new case of an > associated markup being identified for a type rather than an instance would > benefit from a new identifier name. Therefore some proposals. > > 1 - Without changing the Fragment class, a natural tag attribute identifier > would "wicket:markup-id", matching the class attribute name. Since the > identifier is already inside a markup, even more natural would be: > "wicket:id" (yeah, I know). Given that we are already inside a tag in > Wicket's namespace, a simpler identifier would be: "id". > > So instead of the current fragment definition: > > class MyFragment extends Fragment { > ... > super(id, "myFragmentMarkupId", markupContainer); > ... > } > > > We would have: > > > > 2 - To change Fragment's "associatedMarkupId" attribute to "typeName". Even > if the user chooses to not specialize the Fragment class by creating a > subclass of it, conceptually he is still specializing the markup container > when associating a markup to it. Following the same logic,"wicket:fragment" > tag's identifier attribute would be: "type-name". So we would have: > > class MyFragment extends Fragment { > ... > super(id, MyFragment.class.getSimpleName(), markupContainer); > ... > } > > > What are your thought? > > Cheers > > Pedro Santos >