[jira] [Created] (WICKET-6813) Setting child-src does not update frame-src after initial assignment

Mark Snijder (Jira) Mon, 10 Aug 2020 04:53:54 -0700

Mark Snijder created WICKET-6813:
------------------------------------

             Summary: Setting child-src does not update frame-src after initial 
assignment
                 Key: WICKET-6813
                 URL: https://issues.apache.org/jira/browse/WICKET-6813
             Project: Wicket
          Issue Type: Bug
          Components: wicket-core
    Affects Versions: 9.0.0, 9.0.0-M5
            Reporter: Mark Snijder



When configuring CHILD_SRC Wicket also configures FRAME_SRC 
([CSPHeaderConfiguration.doAddDirective|https://github.com/apache/wicket/blob/bef3facb3b240f60a3455f257eaf1b9db81a9e29/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java#L310])
 however it only does this when FRAME_SRC is not set.

Since _unsafeInline()_ sets CHILD_SRC to 'self', adding other CHILD_SRC 
directive values will not update the FRAME_SRC value anymore. The CSP settings 
in the code below causes a _Refused to frame 'https://docs.google.com/' because 
it violates the following Content Security Policy directive: "frame-src 
'self'"._ error.
{code:java}
 getCspSettings().blocking()
        .unsafeInline()
        .add(CSPDirective.SCRIPT_SRC, "https://apis.google.com/";)
        .add(CSPDirective.CHILD_SRC, "https://docs.google.com/";);
{code}
A workaround is to add FRAME_SRC yourself manually to the code above 
(_.add(CSPDirective.FRAME_SRC, "https://docs.google.com/";)_) but I would have 
expected the code to work without adding this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (WICKET-6813) Setting child-src does not update frame-src after initial assignment

Reply via email to