I've discussed this with our unit manager, and got permission to donate our CSP code to Wicket. I think a strong, out of the box CSP is a killer feature to have for Wicket 9. Not many frameworks can match this. For this, I would like to continue working on the following parts: * Remove all inline styling and JS from Wicket. I will need some help with this, especially the Form related code. * Make sure all examples work find with a strong CSP enabled * Add the CSP code to Wicket and provide several presets (strong, unsafeJsAndStyling, reportOnly, disabled) * Enable CSP with the strong preset by default
I've already started the work on the 'csp' branch. On this branch, I've also migrated all but the servlet API to the jakarta namespace. Best regards, Emond On Sun, Jan 12, 2020 at 8:18 PM Emond Papegaaij <emond.papega...@gmail.com> wrote: > > Searching through our Jira, I've found WICKET-6687, filed by Andrew. > He already pinpointed several places that break with a strict CSP > enabled. I'm going to convert that bug into a task (we do not have > epic) and create new bugs for all issues in that ticket. That should > make it easier to track progress. > > Best regards, > Emond > > On Sat, Jan 11, 2020 at 10:31 PM Emond Papegaaij > <emond.papega...@gmail.com> wrote: > > > > Hi all, > > > > For the past few days I've been experimenting with the new CSP > > features in Wicket 9. I really want to thank Andrew, Sven and Martin > > for the great work you guys did in making this possible. I'm getting > > very close to running my application with a very tight and secure CSP. > > Unfortunately, some parts of Wicket still use inline styling and > > scripting. So far I've found the following two issues: > > > > * hidden components with setOutputMarkupPlaceholderTag(true) have > > display:none > > * Forms render inline styling and javascript in some cases to improve > > submit handling > > > > I think we should try to fix these before Wicket 9 is released. I will > > continue to debug our application to see if there are more places. > > > > At Topicus we wrote a IRequestCycleListener that applies the CSP > > automatically to every request via HTTP headers. The API makes it easy > > to configure the CSP. I've added support for the nonce as well. It > > uses a new nonce for every request, which should be more secure than a > > nonce bound to a session. I'll discuss with my employee next week if > > we can donate this code to Wicket. > > > > Best regards, > > Emond
