(wicket) branch master updated: Revert "WICKET-7107 configure ContentSecurityPolicySettings to protect buffered pages"

pedro Wed, 11 Dec 2024 06:06:40 -0800

This is an automated email from the ASF dual-hosted git repository.

pedro pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git



The following commit(s) were added to refs/heads/master by this push:
     new 0968c08142 Revert "WICKET-7107 configure ContentSecurityPolicySettings 
to protect buffered pages"
0968c08142 is described below

commit 0968c081425b79ee9d1c4a0058621804863c5c3a
Author: Pedro Santos <[email protected]>
AuthorDate: Wed Dec 11 10:45:16 2024 -0300

    Revert "WICKET-7107 configure ContentSecurityPolicySettings to protect 
buffered pages"
    
    This reverts commit 6f1d6a2ce7046f446c52e977ac4c9edb5d201471.
---
 .../csp/CSPSettingRequestCycleListenerTest.java    | 75 +++++++---------------
 .../wicket/csp/ContentSecurityPolicySettings.java  |  9 +--
 2 files changed, 24 insertions(+), 60 deletions(-)

diff --git 
a/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
 
b/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
index 28c5efd738..1fdd8cb92c 100644
--- 
a/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
+++ 
b/wicket-core-tests/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java
@@ -16,21 +16,19 @@
  */
 package org.apache.wicket.csp;
 
-import org.apache.wicket.MarkupContainer;
-import org.apache.wicket.RestartResponseException;
-import org.apache.wicket.markup.IMarkupResourceStreamProvider;
-import org.apache.wicket.markup.html.WebPage;
-import org.apache.wicket.mock.MockApplication;
-import org.apache.wicket.protocol.http.WebApplication;
-import org.apache.wicket.request.cycle.RequestCycle;
-import org.apache.wicket.util.resource.IResourceStream;
-import org.apache.wicket.util.resource.StringResourceStream;
-import org.apache.wicket.util.tester.DummyHomePage;
-import org.apache.wicket.util.tester.WicketTestCase;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.ValueSource;
+import static org.apache.wicket.csp.CSPDirective.CHILD_SRC;
+import static org.apache.wicket.csp.CSPDirective.DEFAULT_SRC;
+import static org.apache.wicket.csp.CSPDirective.FRAME_SRC;
+import static org.apache.wicket.csp.CSPDirective.IMG_SRC;
+import static org.apache.wicket.csp.CSPDirective.REPORT_URI;
+import static org.apache.wicket.csp.CSPDirective.SANDBOX;
+import static org.apache.wicket.csp.CSPDirectiveSandboxValue.ALLOW_FORMS;
+import static org.apache.wicket.csp.CSPDirectiveSandboxValue.EMPTY;
+import static org.apache.wicket.csp.CSPDirectiveSrcValue.NONE;
+import static org.apache.wicket.csp.CSPDirectiveSrcValue.SELF;
+import static org.apache.wicket.csp.CSPDirectiveSrcValue.WILDCARD;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -41,14 +39,15 @@ import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static org.apache.wicket.csp.CSPDirective.*;
-import static org.apache.wicket.csp.CSPDirectiveSandboxValue.ALLOW_FORMS;
-import static org.apache.wicket.csp.CSPDirectiveSandboxValue.EMPTY;
-import static org.apache.wicket.csp.CSPDirectiveSrcValue.*;
-import static org.hamcrest.CoreMatchers.containsString;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import org.apache.wicket.mock.MockApplication;
+import org.apache.wicket.protocol.http.WebApplication;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.util.tester.DummyHomePage;
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 class CSPSettingRequestCycleListenerTest extends WicketTestCase
 {
@@ -382,36 +381,6 @@ class CSPSettingRequestCycleListenerTest extends 
WicketTestCase
                assertThrows(IllegalArgumentException.class, () -> 
settings.add(IMG_SRC, source + ":"));
        }
 
-       @Test
-       void addCspDirectiveInBufferedPageResponses()
-       {
-               tester.setFollowRedirects(true);
-               
tester.getApplication().getCspSettings().blocking().add(STYLE_SRC, SELF);
-
-               tester.startPage(RedirectPage.class);
-
-               
assertThat(tester.getLastResponse().getHeader("Content-Security-Policy"),
-                       containsString(STYLE_SRC.getValue()));
-       }
-
-       public static class Page extends WebPage implements 
IMarkupResourceStreamProvider
-       {
-               @Override
-               public IResourceStream getMarkupResourceStream(MarkupContainer 
container,
-                       Class<?> containerClass)
-               {
-                       return new 
StringResourceStream("<html><head></head><body></body></html>");
-               }
-       }
-
-       public static class RedirectPage extends Page
-       {
-               public RedirectPage()
-               {
-                       throw new RestartResponseException(new Page());
-               }
-       }
-
 
        private String renderDirective(List<CSPRenderable> values,
                ContentSecurityPolicySettings settings, RequestCycle cycle)
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
 
b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
index 4c3ba85b45..65b510b7f4 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java
@@ -25,7 +25,6 @@ import java.util.function.Supplier;
 import org.apache.wicket.Application;
 import org.apache.wicket.MetaDataKey;
 import org.apache.wicket.Page;
-import org.apache.wicket.core.request.handler.BufferedResponseRequestHandler;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
 import org.apache.wicket.protocol.http.WebApplication;
@@ -70,18 +69,14 @@ public class ContentSecurityPolicySettings
        private final Map<CSPHeaderMode, CSPHeaderConfiguration> configs = new 
EnumMap<>(
                CSPHeaderMode.class);
 
-       private Predicate<IRequestHandler> protectedFilter;
+       private Predicate<IRequestHandler> protectedFilter = 
RenderPageRequestHandler.class::isInstance;
 
        private Supplier<String> nonceCreator;
        
        public ContentSecurityPolicySettings(Application application)
        {
                Args.notNull(application, "application");
-
-               Predicate<IRequestHandler> isPage = 
RenderPageRequestHandler.class::isInstance;
-               Predicate<IRequestHandler> isBufferedPage = 
BufferedResponseRequestHandler.class::isInstance;
-               protectedFilter = isPage.or(isBufferedPage);
-
+               
                nonceCreator = () ->
                                
application.getSecuritySettings().getRandomSupplier().getRandomBase64(NONCE_LENGTH);
        }

(wicket) branch master updated: Revert "WICKET-7107 configure ContentSecurityPolicySettings to protect buffered pages"

Reply via email to