[jira] [Resolved] (WICKET-7006) Configure CSP directives per Page

Fri, 23 Sep 2022 04:53:06 -0700 


     [ 
https://issues.apache.org/jira/browse/WICKET-7006?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Tzvetanov Grigorov resolved WICKET-7006.
-----------------------------------------------
    Resolution: Not A Problem

Please use the forums for asking for help!

You already started at 
[https://stackoverflow.com/questions/73783715/using-csp-rules-per-page/73783877?noredirect=1#comment130322516_73783877]

 

> Configure CSP directives per Page
> ---------------------------------
>
>                 Key: WICKET-7006
>                 URL: https://issues.apache.org/jira/browse/WICKET-7006
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>            Reporter: Dirk Forchel
>            Priority: Major
>
> Each Wicket component should be able to add/remove its own CSP 
> (Content-Security-Policy) rules to the Page and their Response header 
> currently rendered.
> Following the description in 
> [https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp]
>  all CSP rules are managed via Application settings (class 
> ContentSecurityPolicySettings). 
> Currently you are able to add/remove key-value-pairs to the CSP header 
> configuration for a specific Component (or even Behavior class) at any time, 
> e.g.
> {code:java}
> WebApplication.get().getCspSettings().getConfiguration().get(...).add(key, 
> value)
> {code}
> or
> {code:java}
> WebApplication.get().getCspSettings().getConfiguration().get(...).remove(key, 
> value)
> {code}
> But as developer I would expect a more sophisticated way with some hook 
> methods, e.g.
> {code:java}
> public void addCSPDirectives(final CSPHeaderConfiguration configuration)
> { 
>    blocking.add(CSPDirective.SCRIPT_SRC, new FixedCSPValue("www.foo.com"));
>    blocking.add(CSPDirective.STYLE_SRC, UNSAFE_INLINE);
> };
> {code}
> where each of these directives are rendered into the response header without 
> caring how this is done. Each of these directives shoud only be rendered when 
> the component is visible. After the rendering process, the added directives 
> are automatically removed from the map 
> (ContentSecurityPolicySettings#configs).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to