papegaaij commented on a change in pull request #399: WICKET-6727: Configurable
Content-Security-Policy
URL: https://github.com/apache/wicket/pull/399#discussion_r369416763
##########
File path:
wicket-examples/src/main/java/org/apache/wicket/examples/WicketExampleApplication.java
##########
@@ -57,5 +58,7 @@ protected void init()
getDebugSettings().setDevelopmentUtilitiesEnabled(true);
getResourceSettings().setCssCompressor(new CssUrlReplacer());
+ getCsp().blocking().add(CSPDirective.STYLE_SRC,
"https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css";)
+ .add(CSPDirective.FONT_SRC,
"https://maxcdn.bootstrapcdn.com";);
Review comment:
You can trust the CDN to deliver the font-awesome css when you request that
URL, but you can't just whitelist a whole CDN, because it may also contain
scripts and styles you absolutely do not want. Strictly speaking this also
holds for fonts, but loading a strange font is very hard to do when you can't
inject css and exploiting an application via fonts is even harder. That's why I
chose to whitelist just that one CSS file for styling but the whole CDN for
fonts.
With regards to HTTP2, that's a whole different discussion, but HTTP2 allows
multiplexing multiple requests over a single connection. This reduces your
startup time for loading a page. Any content served from the same location as
the main page can be loaded directly over the same connection. For a CDN, a new
HTTP connection has to be setup (when it cannot be loaded from the cache). This
is also why the old technique of combining many resources into one bundle
doesn't help much with HTTP2.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
