Searching through our Jira, I've found WICKET-6687, filed by Andrew. He already pinpointed several places that break with a strict CSP enabled. I'm going to convert that bug into a task (we do not have epic) and create new bugs for all issues in that ticket. That should make it easier to track progress.
Best regards, Emond On Sat, Jan 11, 2020 at 10:31 PM Emond Papegaaij <emond.papega...@gmail.com> wrote: > > Hi all, > > For the past few days I've been experimenting with the new CSP > features in Wicket 9. I really want to thank Andrew, Sven and Martin > for the great work you guys did in making this possible. I'm getting > very close to running my application with a very tight and secure CSP. > Unfortunately, some parts of Wicket still use inline styling and > scripting. So far I've found the following two issues: > > * hidden components with setOutputMarkupPlaceholderTag(true) have display:none > * Forms render inline styling and javascript in some cases to improve > submit handling > > I think we should try to fix these before Wicket 9 is released. I will > continue to debug our application to see if there are more places. > > At Topicus we wrote a IRequestCycleListener that applies the CSP > automatically to every request via HTTP headers. The API makes it easy > to configure the CSP. I've added support for the nonce as well. It > uses a new nonce for every request, which should be more secure than a > nonce bound to a session. I'll discuss with my employee next week if > we can donate this code to Wicket. > > Best regards, > Emond
