Hi,
I'm trying to write a new Wicket application, and I wanted to use CSP
for added security. It seems like that there are two main issues:
* Wicket's AJAX support is highly dependent on inline and eval'd
JavaScript code
* component visibility is controlled using inline styles
Is WICKET-5406 going to get some traction anytime soon, or are there
known workarounds for the above issues (like a CSP friendly AJAX
implementation)?
Alternatively, I was thinking of a couple of ways to overcome these
issues, like:
* trying to use one-off resource references (if possible?) for
individual requests, so that instead of eval'ing, the code could be just
simply loaded instead?
* have a way to generate and retrieve nonces for inline resources and
make sure that Wicket sets the CSP header on its own.
* update Wicket itself to use text/json script elements to load its
configuration and pass JSON objects only for AJAX responses, so that
they no longer need to be eval'd.
Are these approaches any good?
Thanks,
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
