[
https://issues.apache.org/jira/browse/WICKET-7006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608717#comment-17608717
]
Dirk Forchel commented on WICKET-7006:
--------------------------------------
I was the guy who hasked the question at Stackoverflow. But I think there is a
problem. Yes, each component could add additional rules/directives but you
can't remove them. You can only remove the whole CSPDirective but not a special
value you have added. So, for example, if you add a value like this
blocking.add(CSPDirective.SCRIPT_SRC, new FixedCSPValue("www.foo.com"));
this value gets rendered on each page later on, even if this fixed CSP value is
actually not necessary anymore.
My opinion is, that each component should provide its own rules and only if the
component is visible and used on a page, these directives should be rendered in
the HTTP header.
> Configure CSP directives per Page
> ---------------------------------
>
> Key: WICKET-7006
> URL: https://issues.apache.org/jira/browse/WICKET-7006
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Reporter: Dirk Forchel
> Priority: Major
>
> Each Wicket component should be able to add/remove its own CSP
> (Content-Security-Policy) rules to the Page and their Response header
> currently rendered.
> Following the description in
> [https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp]
> all CSP rules are managed via Application settings (class
> ContentSecurityPolicySettings).
> Currently you are able to add/remove key-value-pairs to the CSP header
> configuration for a specific Component (or even Behavior class) at any time,
> e.g.
> {code:java}
> WebApplication.get().getCspSettings().getConfiguration().get(...).add(key,
> value)
> {code}
> or
> {code:java}
> WebApplication.get().getCspSettings().getConfiguration().get(...).remove(key,
> value)
> {code}
> But as developer I would expect a more sophisticated way with some hook
> methods, e.g.
> {code:java}
> public void addCSPDirectives(final CSPHeaderConfiguration configuration)
> {
> blocking.add(CSPDirective.SCRIPT_SRC, new FixedCSPValue("www.foo.com"));
> blocking.add(CSPDirective.STYLE_SRC, UNSAFE_INLINE);
> };
> {code}
> where each of these directives are rendered into the response header without
> caring how this is done. Each of these directives shoud only be rendered when
> the component is visible. After the rendering process, the added directives
> are automatically removed from the map
> (ContentSecurityPolicySettings#configs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
