WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr#1341
WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr#1341keesvandieren wants to merge 7 commits intoapache:masterfrom
Conversation
keesvandieren
changed the title
martin-g
left a comment
martin-g
left a comment
There was a problem hiding this comment.
We need a JIRA ticket for the changelog.
wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java
Outdated
Show resolved
Hide resolved
wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
Outdated
Show resolved
Hide resolved
wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
Outdated
Show resolved
Hide resolved
martin-g
changed the title
wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
Outdated
Show resolved
Hide resolved
| { | ||
| if (!existingDirectiveValues.isEmpty()) | ||
| { | ||
| throw new IllegalArgumentException("Directive " + this + " supports only one value"); |
There was a problem hiding this comment.
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-attr#source-expression-list those could have multiple values, not just one.
There was a problem hiding this comment.
Technically this is true, but in practice only 2 values are allowed: none and 'unsafe inline'. They contradict each other so shouldn't be used together.
There was a problem hiding this comment.
Let's hear some more opinions from other CSP users.
My personal opinion is that we should follow the standards but I don't have experience in this area.
There was a problem hiding this comment.
Actually you are correct, my implementation doesn't support all allowed values. These should be allowed:
'none'
'unsafe-hashes'
'unsafe-inline'
'report-sample'
3 participants
Those new directives have been added to CSP in 2022 but are not yet available in Wicket
WICKET-7172