papegaaij commented on a change in pull request #399: WICKET-6727: Configurable Content-Security-Policy URL: https://github.com/apache/wicket/pull/399#discussion_r369416763
########## File path: wicket-examples/src/main/java/org/apache/wicket/examples/WicketExampleApplication.java ########## @@ -57,5 +58,7 @@ protected void init() getDebugSettings().setDevelopmentUtilitiesEnabled(true); getResourceSettings().setCssCompressor(new CssUrlReplacer()); + getCsp().blocking().add(CSPDirective.STYLE_SRC, "https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css") + .add(CSPDirective.FONT_SRC, "https://maxcdn.bootstrapcdn.com"); Review comment: You can trust the CDN to deliver the font-awesome css when you request that URL, but you can't just whitelist a whole CDN, because it may also contain scripts and styles you absolutely do not want. Strictly speaking this also holds for fonts, but loading a strange font is very hard to do when you can't inject css and exploiting an application via fonts is even harder. That's why I chose to whitelist just that one CSS file for styling but the whole CDN for fonts. With regards to HTTP2, that's a whole different discussion, but HTTP2 allows multiplexing multiple requests over a single connection. This reduces your startup time for loading a page. Any content served from the same location as the main page can be loaded directly over the same connection. For a CDN, a new HTTP connection has to be setup (when it cannot be loaded from the cache). This is also why the old technique of combining many resources into one bundle doesn't help much with HTTP2. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services