>> IMO we should explain that the CSP support has been already added in 9.x
>> and to close this forgotten JIRA ticket.
>> Then if they still think there are ways to improve the current
>> implementation they are very welcome to contribute!

Martin, I did tell it first:

>> Hi Santiago.
>>
>> The CSP support has actually improved a lot since then.
>> Wicket got rid of evals in the code, see here
https://github.com/apache/wicket/pull/384 /
https://issues.apache.org/jira/browse/WICKET-6703
>>
>> How exactly are you going to boost the work and how can I personally
help you?
>>
>> I'll forward your question to dev@wicket.apache.org
>>
>> Cheers,
>> Andrew

пт, 5 июн. 2020 г. в 18:31, Martin Grigorov <mgrigo...@apache.org>:

> Hi,
>
> On Fri, Jun 5, 2020 at 6:17 AM Tobias Soloschenko
> <tobiassolosche...@googlemail.com.invalid> wrote:
>
> > Hi,
> >
> > to my opinion they just want to contribute to Wicket. I would simply
> > explain how the process of contribution works at ASF (PRs, etc.) and give
> > them some information what challenges we were faced with till now.
> >
>
> IMO we should explain that the CSP support has been already added in 9.x
> and to close this forgotten JIRA ticket.
> Then if they still think there are ways to improve the current
> implementation they are very welcome to contribute!
>
> @Andrew feel free to point them to this discussion. One can join at
>
> https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E
>
>
> >
> > kind regards
> >
> > Tobias
> >
> > > Am 05.06.2020 um 02:18 schrieb Andrew Kondratev <and...@kondratev.pro
> >:
> > >
> > > Hi colleagues! I just received this email. Not sure what this all
> means.
> > >
> > > ---------- Forwarded message ---------
> > > От: Santiago Díaz <sald...@google.com>
> > > Date: чт, 4 июн. 2020 г. в 21:47
> > > Subject: Contribution - CSP support for Wicket
> > > To: <andru...@gmail.com>
> > >
> > >
> > > Hello Andrew,
> > >
> > > My name is Santiago, I'm a Security Engineer at Google. I am currently
> > > making preparations to receive a small group of interns for this
> summer's
> > > Google internships and found your email during the course of my
> research.
> > >
> > > *Context*
> > > Here at Google we have a lot of experience deploying security
> mechanisms
> > > (like Content Security Policy, Trusted Types, Fetch Metadata,
> > Cross-Origin
> > > Opener Policy and others) at scale. We understand the pains of
> designing
> > > strong security policies, finding blockers for their deployment and
> > > locating pieces of code that need refactoring.
> > >
> > > *Why are you receiving this email?*
> > > For this year's internships (and considering the current global
> > situation)
> > > we would like to contribute to selected open source projects, bringing
> > some
> > > of our experience to *encourage adoption of some of these security
> > > enhancements*. Wicket is one of the projects we have shortlisted and
> we'd
> > > be happy to collaborate with you!
> > >
> > > I found out that there is an ongoing discussion over at
> > > https://issues.apache.org/jira/browse/WICKET-5406 to improve CSP
> > support in
> > > Wicket and that *you have been running some experiments on what that
> > would
> > > look like*.
> > >
> > > Having said that, it would be great if we could boost your work instead
> > of
> > > reinventing the wheel. As such, I would like to know if you'd be open
> to
> > > our contributions and if so, whether you'd be willing to give me some
> > > context on what has been done, what issues you've come across and
> whether
> > > you have any thoughts on what would be the best way for us to
> contribute.
> > >
> > > Thank you for reading and I'm looking forward to hearing from you! :)
> > >
> > > S.
> >
>

Reply via email to