[
https://issues.apache.org/jira/browse/WICKET-6682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879624#comment-16879624
]
Maxim Solodovnik commented on WICKET-6682:
------------------------------------------
Alternatively checksums can be created for inline scripts `Alternatively, you
can create hashes from your inline scripts. CSP supports sha256, sha384 and
sha512.`
Not sure yet how this can be used :(
> Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
> ------------------------------------------------------------------------
>
> Key: WICKET-6682
> URL: https://issues.apache.org/jira/browse/WICKET-6682
> Project: Wicket
> Issue Type: Improvement
> Reporter: Andrew Kondratev
> Priority: Major
> Labels: security
>
> One of easy wins for content security policy would be a support of _nonce_
> for inline JavaScript header injections.
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script]
> *Criteria*
> * Set up some kind of request unique nonce provider
> * Make it possible for JavaScript header items to have provided nonce
> * Add provided nonce to the `Content-Security-Policy: script-src` header
> See in code:
> org.apache.wicket.core.util.string.JavaScriptUtils#writeOpenTag
> org.apache.wicket.markup.head.JavaScriptContentHeaderItem#render
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
