[wicket] 02/02: WICKET-6733: enable strict CSP by default

Sun, 23 Feb 2020 12:06:24 -0800 

This is an automated email from the ASF dual-hosted git repository.

papegaaij pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git

commit ef8049cca3d3a44500874a8e4c66cd40f6f353f5
Author: Emond Papegaaij <[email protected]>
AuthorDate: Sun Feb 23 21:03:59 2020 +0100

    WICKET-6733: enable strict CSP by default
---
 wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java   | 2 ++
 .../src/main/java/org/apache/wicket/protocol/http/WebApplication.java   | 2 ++
 2 files changed, 4 insertions(+)

diff --git 
a/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java 
b/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java
index 3dbe4fb..d6bfa00 100644
--- a/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java
+++ b/wicket-core/src/main/java/org/apache/wicket/mock/MockApplication.java
@@ -74,5 +74,7 @@ public class MockApplication extends WebApplication
                // the core CSS causes noise (a head + link in every generated 
markup) in tests
                // and isn't needed, because the markup isn't rendered by a 
browser
                getResourceSettings().disableWicketCoreCSS();
+               // disable nonces, CSP is not needed anyway during tests
+               getCsp().blocking().disabled();
        }
 }
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java
index f6f3bd2..d00b7f4 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java
@@ -755,6 +755,7 @@ public abstract class WebApplication extends Application
                getHeaderResponseDecorators()
                        .add(response -> new 
CSPNonceHeaderResponseDecorator(response, getCsp()));
                mount(new ReportCSPViolationMapper(getCsp()));
+               getCsp().blocking().strict();
                
                if (getConfigurationType() == 
RuntimeConfigurationType.DEVELOPMENT)
                {
@@ -764,6 +765,7 @@ public abstract class WebApplication extends Application
                        {
                                
getResourceSettings().getResourceFinders().add(new Path(resourceFolder));
                        }
+                       getCsp().blocking().reportBack();
                }
                setPageRendererProvider(WebPageRenderer::new);
                setSessionStoreProvider(HttpSessionStore::new);

Reply via email to