Hi all, For the past few days I've been experimenting with the new CSP features in Wicket 9. I really want to thank Andrew, Sven and Martin for the great work you guys did in making this possible. I'm getting very close to running my application with a very tight and secure CSP. Unfortunately, some parts of Wicket still use inline styling and scripting. So far I've found the following two issues:
* hidden components with setOutputMarkupPlaceholderTag(true) have display:none * Forms render inline styling and javascript in some cases to improve submit handling I think we should try to fix these before Wicket 9 is released. I will continue to debug our application to see if there are more places. At Topicus we wrote a IRequestCycleListener that applies the CSP automatically to every request via HTTP headers. The API makes it easy to configure the CSP. I've added support for the nonce as well. It uses a new nonce for every request, which should be more secure than a nonce bound to a session. I'll discuss with my employee next week if we can donate this code to Wicket. Best regards, Emond