papegaaij commented on a change in pull request #399: WICKET-6727: Configurable
Content-Security-Policy
URL: https://github.com/apache/wicket/pull/399#discussion_r369205446
##########
File path:
wicket-examples/src/main/java/org/apache/wicket/examples/WicketExampleApplication.java
##########
@@ -57,5 +58,7 @@ protected void init()
getDebugSettings().setDevelopmentUtilitiesEnabled(true);
getResourceSettings().setCssCompressor(new CssUrlReplacer());
+ getCsp().blocking().add(CSPDirective.STYLE_SRC,
"https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css";)
+ .add(CSPDirective.FONT_SRC,
"https://maxcdn.bootstrapcdn.com";);
Review comment:
You can use hosts, with a path in CSP and it will match all resources on
that host. The problem in this case is that this is a CDN. It could deliver
anything. It is better not to use CDNs at all. With HTTP2 it adds latency to
your page loads, because multiple http connections need to be established and
it makes it very difficult to protect your site with CSP.
In this particular case I chose to only allow one css file, but all fonts
from the CDN. This makes it impossible to inject styling and therefore very
hard to load fake fonts as well.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
