[jira] [Comment Edited] (WICKET-7092) Content Security Policy 'Nonces should only use the base64 charset'

Thu, 04 Jan 2024 03:57:09 -0800 


    [ 
https://issues.apache.org/jira/browse/WICKET-7092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17803012#comment-17803012
 ] 

Martin Tzvetanov Grigorov edited comment on WICKET-7092 at 1/4/24 11:56 AM:
----------------------------------------------------------------------------

I asked for a Jira ticket because "-" and "_" are not really members of base64 
encoding.

Reading [https://en.wikipedia.org/wiki/Base64#Variants_summary_table] I see 
that in the latest RFC (rfc4648) if one uses url encoder then "+{+}" and "/" 
are replaced with "-" and "_{+}" in the alphabet.

Maybe we just have to use the base encoding, not the url encoding at 
[https://github.com/apache/wicket/blob/e9461b0d115a7dbf4992596823521f6e038817d9/wicket-core/src/main/java/org/apache/wicket/core/random/ISecureRandomSupplier.java#L60]
 ?


was (Author: mgrigorov):
I asked for a Jira ticket because "-" and "_" are not really members of base64 
encoding.

Reading [https://en.wikipedia.org/wiki/Base64#Variants_summary_table] I see 
that in the latest RFC (rfc4648) if one uses url encoder then "+" and "/" are 
replaced with "-" and "+" in the alphabet.

Maybe we just have to use the base encoding, not the url encoding at 
[https://github.com/apache/wicket/blob/e9461b0d115a7dbf4992596823521f6e038817d9/wicket-core/src/main/java/org/apache/wicket/core/random/ISecureRandomSupplier.java#L60]
 ?

> Content Security Policy 'Nonces should only use the base64 charset'
> -------------------------------------------------------------------
>
>                 Key: WICKET-7092
>                 URL: https://issues.apache.org/jira/browse/WICKET-7092
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 9.16.0
>         Environment: Kali Linux
>            Reporter: sundar
>            Priority: Minor
>         Attachments: image-20240103-092246.png
>
>
> Hi all, I applied a strict content security policy to my application using 
> wicket after I tested my application using Kali Linux to check for 
> vulnerabilities. The tool provides the report with an info message "Nonces 
> should only use the base64 charset" regarding the info message needed to 
> configure any properties in CSP. I attached the report screenshot 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to