[GitHub] [wicket] martin-g commented on a change in pull request #376: WICKET-6682 add CSP nonce support: DecoratingHeaderResponse approach

Sun, 14 Jul 2019 23:56:09 -0700 

martin-g commented on a change in pull request #376: WICKET-6682 add CSP nonce 
support: DecoratingHeaderResponse approach
URL: https://github.com/apache/wicket/pull/376#discussion_r303299242
 
 

 ##########
 File path: 
wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptHeaderItem.java
 ##########
 @@ -365,15 +372,54 @@ protected final void 
internalRenderJavaScriptReference(Response response, String
                boolean isAjax = 
RequestCycle.get().find(IPartialPageRequestHandler.class).isPresent();
                // the url needs to be escaped when Ajax, because it will break 
the Ajax Response XML (WICKET-4777)
                CharSequence escapedUrl = isAjax ? Strings.escapeMarkup(url): 
url;
-
-               JavaScriptUtils.writeJavaScriptUrl(response, escapedUrl, id, 
defer, charset, async);
+               AttributeMap attributes = AttributeMap.of(
+                               HeaderItemAttribute.TYPE, "text/javascript",
+                               HeaderItemAttribute.SCRIPT_SRC, 
String.valueOf(escapedUrl)
+               );
+               if (id != null)
+               {
+                       attributes.add(HeaderItemAttribute.ID, id);
+               }
+               if (defer)
+               {
+                       attributes.add(HeaderItemAttribute.SCRIPT_DEFER, 
"defer");
+               }
+               if (charset != null)
+               {
+                       // XXX this attribute is not necessary for modern 
browsers
+                       attributes.add("charset", charset);
+               }
+               if (async)
+               {
+                       attributes.add(HeaderItemAttribute.SCRIPT_ASYNC, 
"async");
+               }
+               attributes.compute(HeaderItemAttribute.CSP_NONCE, 
this::getNonce);
+               JavaScriptUtils.writeJavaScriptUrl(response, attributes);
 
                if (hasCondition)
                {
                        response.write("<![endif]-->\n");
                }
        }
 
+       /**
+        * @return CSP nonce
+        */
+       public String getNonce() {
+               return nonce;
+       }
+
+       /**
+        * Set the CSP nonce
+        * @param nonce
+        * @return {@code this} object, for method chaining
+        */
+       public JavaScriptHeaderItem setNonce(String nonce) {
+               Args.notNull(nonce, "nonce");
 
 Review comment:
   nonEmpty

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to