Hi Santiago, It's always nice to get some help in maintaining Wicket. Wicket has always been strong wrt security. That's one of the reasons why at Topicus we use it to power our Identity and Access Management solution called Topicus KeyHub.
Just a few weeks ago I filed the following ticket https://issues.apache.org/jira/browse/WICKET-6786 . Wicket already has some form of CSRF protection, but it uses the Origin header to detect cross-site requests. This works most of the time, but is not as reliable as using the new fetch metadata. IMHO the current implementation should be enhanced with support for the fetch metadata headers, with a fallback to the old approach. I haven't had the time to work on the implementation, but it's on my todo list. I must admit I did not yet know about the existence of trusted types. I do think Wicket would be a good fit for that protection. It already defines clear paths through which the DOM can be manipulated. Best regards, Emond On Fri, Jun 5, 2020 at 12:38 PM Santiago Díaz <sald...@google.com.invalid> wrote: > > Hello Wicket devs! > > Thanks for pointing out the Jira tickets that I missed! I didn't realise that > you already have extensive CSP support. Great job on getting rid of both > unsafe-inline & unsafe-eval! > > In that case, we will be shifting focus towards improving Wicket's security > through one or more of the following security enhancements: > > - Protecting against DOM XSS: > - Trusted Types is a strong protection against DOM XSS. There is a > great primer at https://web.dev/trusted-types/ > > - Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing > attacks through site isolation: > - Fetch Metadata. See > https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript. > - Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/ > > I am somewhat familiar with ASF's general contribution guidelines but if you > would like to point us to any resources that you think will make our > collaboration smoother, I will be happy to share them internally. Tobias' > suggestion on giving some additional context on challenges you've found > sounds great. > > We are still at a very early stage of our project, but I will use this thread > to keep you updated on progress & questions. > > Cheers! > > > On Fri, Jun 5, 2020 at 12:12 PM Andrew Kondratev <and...@kondratev.pro> wrote: > > On 2020/06/05 10:09:23, Andrew Kondratev <and...@kondratev.pro> wrote: > > >> IMO we should explain that the CSP support has been already added in 9.x > > >> and to close this forgotten JIRA ticket. > > >> Then if they still think there are ways to improve the current > > >> implementation they are very welcome to contribute! > > > > Martin, I did tell it first: > > > > >> Hi Santiago. > > >> > > >> The CSP support has actually improved a lot since then. > > >> Wicket got rid of evals in the code, see here > > https://github.com/apache/wicket/pull/384 / > > https://issues.apache.org/jira/browse/WICKET-6703 > > >> > > >> How exactly are you going to boost the work and how can I personally > > help you? > > >> > > >> I'll forward your question to dev@wicket.apache.org > > >> > > >> Cheers, > > >> Andrew > > > > пт, 5 июн. 2020 г. в 18:31, Martin Grigorov <mgrigo...@apache.org>: > > > > > Hi, > > > > > > On Fri, Jun 5, 2020 at 6:17 AM Tobias Soloschenko > > > <tobiassolosche...@googlemail.com.invalid> wrote: > > > > > > > Hi, > > > > > > > > to my opinion they just want to contribute to Wicket. I would simply > > > > explain how the process of contribution works at ASF (PRs, etc.) and > > > > give > > > > them some information what challenges we were faced with till now. > > > > > > > > > > IMO we should explain that the CSP support has been already added in 9.x > > > and to close this forgotten JIRA ticket. > > > Then if they still think there are ways to improve the current > > > implementation they are very welcome to contribute! > > > > > > @Andrew feel free to point them to this discussion. One can join at > > > > > > https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E > > > > > > > > > > > > > > kind regards > > > > > > > > Tobias > > > > > > > > > Am 05.06.2020 um 02:18 schrieb Andrew Kondratev <and...@kondratev.pro > > > >: > > > > > > > > > > Hi colleagues! I just received this email. Not sure what this all > > > means. > > > > > > > > > > ---------- Forwarded message --------- > > > > > От: Santiago Díaz <sald...@google.com> > > > > > Date: чт, 4 июн. 2020 г. в 21:47 > > > > > Subject: Contribution - CSP support for Wicket > > > > > To: <andru...@gmail.com> > > > > > > > > > > > > > > > Hello Andrew, > > > > > > > > > > My name is Santiago, I'm a Security Engineer at Google. I am currently > > > > > making preparations to receive a small group of interns for this > > > summer's > > > > > Google internships and found your email during the course of my > > > research. > > > > > > > > > > *Context* > > > > > Here at Google we have a lot of experience deploying security > > > mechanisms > > > > > (like Content Security Policy, Trusted Types, Fetch Metadata, > > > > Cross-Origin > > > > > Opener Policy and others) at scale. We understand the pains of > > > designing > > > > > strong security policies, finding blockers for their deployment and > > > > > locating pieces of code that need refactoring. > > > > > > > > > > *Why are you receiving this email?* > > > > > For this year's internships (and considering the current global > > > > situation) > > > > > we would like to contribute to selected open source projects, bringing > > > > some > > > > > of our experience to *encourage adoption of some of these security > > > > > enhancements*. Wicket is one of the projects we have shortlisted and > > > we'd > > > > > be happy to collaborate with you! > > > > > > > > > > I found out that there is an ongoing discussion over at > > > > > https://issues.apache.org/jira/browse/WICKET-5406 to improve CSP > > > > support in > > > > > Wicket and that *you have been running some experiments on what that > > > > would > > > > > look like*. > > > > > > > > > > Having said that, it would be great if we could boost your work > > > > > instead > > > > of > > > > > reinventing the wheel. As such, I would like to know if you'd be open > > > to > > > > > our contributions and if so, whether you'd be willing to give me some > > > > > context on what has been done, what issues you've come across and > > > whether > > > > > you have any thoughts on what would be the best way for us to > > > contribute. > > > > > > > > > > Thank you for reading and I'm looking forward to hearing from you! :) > > > > > > > > > > S. > > > > > > > > >
