(wicket) branch wicket-9.x updated: WICKET-7096: add missing nonce to auto linked resources (#768)

[mgrigorov]

This is an automated email from the ASF dual-hosted git repository.

mgrigorov pushed a commit to branch wicket-9.x
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/wicket-9.x by this push:
     new a3b53cfff1 WICKET-7096: add missing nonce to auto linked resources 
(#768)
a3b53cfff1 is described below

commit a3b53cfff193a79db22b5b865d7568519e36b587
Author: Sebastian Thomschke <sebt...@users.noreply.github.com>
AuthorDate: Thu Jan 18 09:27:20 2024 +0100

    WICKET-7096: add missing nonce to auto linked resources (#768)
    
    (cherry picked from commit 3683374ae412bebdcc8ec030ad19c8251e8d71cb)
---
 .../apache/wicket/markup/resolver/AutoLinkResolver.java  |  8 ++++++++
 .../wicket/markup/resolver/AutoLinkResolverTest.java     | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git 
a/wicket-core/src/main/java/org/apache/wicket/markup/resolver/AutoLinkResolver.java
 
b/wicket-core/src/main/java/org/apache/wicket/markup/resolver/AutoLinkResolver.java
index c23cf7593c..999c1f8dc8 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/markup/resolver/AutoLinkResolver.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/markup/resolver/AutoLinkResolver.java
@@ -25,6 +25,7 @@ import org.apache.wicket.Component;
 import org.apache.wicket.MarkupContainer;
 import org.apache.wicket.Page;
 import org.apache.wicket.application.IClassResolver;
+import org.apache.wicket.core.util.string.JavaScriptUtils;
 import org.apache.wicket.markup.ComponentTag;
 import org.apache.wicket.markup.IMarkupFragment;
 import org.apache.wicket.markup.MarkupStream;
@@ -619,6 +620,13 @@ public final class AutoLinkResolver implements 
IComponentResolver
 
                                // generate the href attribute
                                tag.put(attribute, url);
+
+                               // add nonce if required
+                               final var csp = 
getWebApplication().getCspSettings();
+                               if(csp.isNonceEnabled())
+                               {
+                                       tag.put(JavaScriptUtils.ATTR_CSP_NONCE, 
csp.getNonce(getRequestCycle()));
+                               }
                        }
                }
 
diff --git 
a/wicket-core/src/test/java/org/apache/wicket/markup/resolver/AutoLinkResolverTest.java
 
b/wicket-core/src/test/java/org/apache/wicket/markup/resolver/AutoLinkResolverTest.java
index 7381757e8c..5a016fa56f 100644
--- 
a/wicket-core/src/test/java/org/apache/wicket/markup/resolver/AutoLinkResolverTest.java
+++ 
b/wicket-core/src/test/java/org/apache/wicket/markup/resolver/AutoLinkResolverTest.java
@@ -17,6 +17,7 @@
 package org.apache.wicket.markup.resolver;
 
 import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 import java.util.Locale;
@@ -66,4 +67,19 @@ class AutoLinkResolverTest extends WicketTestCase
                assertThat(tester.getLastResponseAsString(),
                        containsString(EXISTENT_RESOURCE_LOCALE.getCountry()));
        }
+
+       @Test
+       void testNonceIsPresentForAutoLinkLocalizedResource() {
+               PageWithAutoLinkedLocalResource instance = new 
PageWithAutoLinkedLocalResource();
+
+               var settings = tester.getApplication().getCspSettings();
+
+               settings.blocking().disabled();
+               tester.startPage(instance);
+               assertThat(tester.getLastResponseAsString(), 
not(containsString("nonce=\"")));
+
+               settings.blocking().strict();
+               tester.startPage(instance);
+               assertThat(tester.getLastResponseAsString(), 
containsString("nonce=\""));
+       }
 }