[jira] [Commented] (WICKET-7006) Configure CSP directives per Page

Fri, 23 Sep 2022 05:29:57 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608725#comment-17608725
 ] 

Martin Tzvetanov Grigorov commented on WICKET-7006:
---------------------------------------------------

You ask how to use several Wicket functionalities (header contribution, request 
lifecycle, component lifecycle) in a ticket centered around CSP.

Jira is not a support forum!

Jira is about bugs and new feature requests!

You should use either [[email protected]|mailto:[email protected]] 
(recommended!) or StackOverflow for asking how to add something in the 
beginning of the request cycle or remove it at the end.

> Configure CSP directives per Page
> ---------------------------------
>
>                 Key: WICKET-7006
>                 URL: https://issues.apache.org/jira/browse/WICKET-7006
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>            Reporter: Dirk Forchel
>            Priority: Major
>
> Each Wicket component should be able to add/remove its own CSP 
> (Content-Security-Policy) rules to the Page and their Response header 
> currently rendered.
> Following the description in 
> [https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp]
>  all CSP rules are managed via Application settings (class 
> ContentSecurityPolicySettings). 
> Currently you are able to add/remove key-value-pairs to the CSP header 
> configuration for a specific Component (or even Behavior class) at any time, 
> e.g.
> {code:java}
> WebApplication.get().getCspSettings().getConfiguration().get(...).add(key, 
> value)
> {code}
> or
> {code:java}
> WebApplication.get().getCspSettings().getConfiguration().get(...).remove(key, 
> value)
> {code}
> But as developer I would expect a more sophisticated way with some hook 
> methods, e.g.
> {code:java}
> public void addCSPDirectives(final CSPHeaderConfiguration configuration)
> { 
>    blocking.add(CSPDirective.SCRIPT_SRC, new FixedCSPValue("www.foo.com"));
>    blocking.add(CSPDirective.STYLE_SRC, UNSAFE_INLINE);
> };
> {code}
> where each of these directives are rendered into the response header without 
> caring how this is done. Each of these directives shoud only be rendered when 
> the component is visible. After the rendering process, the added directives 
> are automatically removed from the map 
> (ContentSecurityPolicySettings#configs).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to