[
https://issues.apache.org/jira/browse/WICKET-6321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16339228#comment-16339228
]
Peter Major commented on WICKET-6321:
-------------------------------------
I've made some progress with a patch for this, however there are a few things
that I'm not sure how to tackle:
* SRI only really makes sense when the resource is on a different origin, so
I've only adjusted the JavaScriptUrlReferenceHeaderItem for now, but question
is what should happen with JavaScriptReferenceHeaderItem? Should that also have
CrossOrigin and integrity attributes even though it wouldn't always be an
external link?
* A UrlResourceReference can also point at local domain, so should we render
these attributes conditionally when isContextRelative returns false?
* ResourceAggregator uses the headeritem details to do some magic, I suppose
that should take into account crossorigin and integrity attributes as well?
Still missing:
* SRI support for CSS as well, should be a lot simpler once the JS side is
ironed out.
> Support Integrity and Crossorigin attributes for
> JavaScriptUrlReferenceHeaderItem
> ----------------------------------------------------------------------------------
>
> Key: WICKET-6321
> URL: https://issues.apache.org/jira/browse/WICKET-6321
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 8.0.0-M3
> Reporter: Mikhail Fursov
> Priority: Major
> Attachments: wicket-6321.diff
>
>
> Example of secure script reference:
> <script
> src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha.6/js/bootstrap.min.js";
> integrity="sha256-+kIbbrvS+0dNOjhmQJzmwe/RILR/8lb/+4+PUNVW09k="
> crossorigin="anonymous"></script>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
