Hello Wicket devs! Thanks for pointing out the Jira tickets that I missed! I didn't realise that you already have extensive CSP support. Great job on getting rid of both unsafe-inline & unsafe-eval!
In that case, we will be shifting focus towards improving Wicket's security through one or more of the following security enhancements: - Protecting against DOM XSS: - Trusted Types is a strong protection against DOM XSS. There is a great primer at https://web.dev/trusted-types/ - Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing attacks through site isolation: - Fetch Metadata. See https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript. - Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/ I am somewhat familiar with ASF's general contribution guidelines but if you would like to point us to any resources that you think will make our collaboration smoother, I will be happy to share them internally. Tobias' suggestion on giving some additional context on challenges you've found sounds great. We are still at a very early stage of our project, but I will use this thread to keep you updated on progress & questions. Cheers! On Fri, Jun 5, 2020 at 12:12 PM Andrew Kondratev <and...@kondratev.pro> wrote: On 2020/06/05 10:09:23, Andrew Kondratev <and...@kondratev.pro> wrote: > >> IMO we should explain that the CSP support has been already added in 9.x > >> and to close this forgotten JIRA ticket. > >> Then if they still think there are ways to improve the current > >> implementation they are very welcome to contribute! > > Martin, I did tell it first: > > >> Hi Santiago. > >> > >> The CSP support has actually improved a lot since then. > >> Wicket got rid of evals in the code, see here > https://github.com/apache/wicket/pull/384 / > https://issues.apache.org/jira/browse/WICKET-6703 > >> > >> How exactly are you going to boost the work and how can I personally > help you? > >> > >> I'll forward your question to dev@wicket.apache.org > >> > >> Cheers, > >> Andrew > > пт, 5 июн. 2020 г. в 18:31, Martin Grigorov <mgrigo...@apache.org>: > > > Hi, > > > > On Fri, Jun 5, 2020 at 6:17 AM Tobias Soloschenko > > <tobiassolosche...@googlemail.com.invalid> wrote: > > > > > Hi, > > > > > > to my opinion they just want to contribute to Wicket. I would simply > > > explain how the process of contribution works at ASF (PRs, etc.) and give > > > them some information what challenges we were faced with till now. > > > > > > > IMO we should explain that the CSP support has been already added in 9.x > > and to close this forgotten JIRA ticket. > > Then if they still think there are ways to improve the current > > implementation they are very welcome to contribute! > > > > @Andrew feel free to point them to this discussion. One can join at > > > > https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E > > > > > > > > > > kind regards > > > > > > Tobias > > > > > > > Am 05.06.2020 um 02:18 schrieb Andrew Kondratev <and...@kondratev.pro > > >: > > > > > > > > Hi colleagues! I just received this email. Not sure what this all > > means. > > > > > > > > ---------- Forwarded message --------- > > > > От: Santiago Díaz <sald...@google.com> > > > > Date: чт, 4 июн. 2020 г. в 21:47 > > > > Subject: Contribution - CSP support for Wicket > > > > To: <andru...@gmail.com> > > > > > > > > > > > > Hello Andrew, > > > > > > > > My name is Santiago, I'm a Security Engineer at Google. I am currently > > > > making preparations to receive a small group of interns for this > > summer's > > > > Google internships and found your email during the course of my > > research. > > > > > > > > *Context* > > > > Here at Google we have a lot of experience deploying security > > mechanisms > > > > (like Content Security Policy, Trusted Types, Fetch Metadata, > > > Cross-Origin > > > > Opener Policy and others) at scale. We understand the pains of > > designing > > > > strong security policies, finding blockers for their deployment and > > > > locating pieces of code that need refactoring. > > > > > > > > *Why are you receiving this email?* > > > > For this year's internships (and considering the current global > > > situation) > > > > we would like to contribute to selected open source projects, bringing > > > some > > > > of our experience to *encourage adoption of some of these security > > > > enhancements*. Wicket is one of the projects we have shortlisted and > > we'd > > > > be happy to collaborate with you! > > > > > > > > I found out that there is an ongoing discussion over at > > > > https://issues.apache.org/jira/browse/WICKET-5406 to improve CSP > > > support in > > > > Wicket and that *you have been running some experiments on what that > > > would > > > > look like*. > > > > > > > > Having said that, it would be great if we could boost your work instead > > > of > > > > reinventing the wheel. As such, I would like to know if you'd be open > > to > > > > our contributions and if so, whether you'd be willing to give me some > > > > context on what has been done, what issues you've come across and > > whether > > > > you have any thoughts on what would be the best way for us to > > contribute. > > > > > > > > Thank you for reading and I'm looking forward to hearing from you! :) > > > > > > > > S. > > > > > >