[jira] [Created] (WICKET-6682) Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce

Sat, 06 Jul 2019 01:40:18 -0700 

Andrew Kondratev created WICKET-6682:
----------------------------------------

             Summary: Improve JavaScriptContentHeaderItem and JavaScriptUtils 
to support nonce
                 Key: WICKET-6682
                 URL: https://issues.apache.org/jira/browse/WICKET-6682
             Project: Wicket
          Issue Type: Improvement
            Reporter: Andrew Kondratev


One of easy wins for content security policy would be a support of _nonce_ for 
inline JavaScript header injections.

[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script]

*Criteria*
 * Set up some kind of request unique nonce provider
 * Make it possible for JavaScript header items to have provided nonce
 * Add provided nonce to the `Content-Security-Policy: script-src` header

See in code:
org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag
org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to