Hello Wicket devs!
Thanks for pointing out the Jira tickets that I missed! I didn't realise that
you already have extensive CSP support. Great job on getting rid of both
unsafe-inline & unsafe-eval!
In that case, we will be shifting focus towards improving Wicket's security
through one or more of the following security enhancements:
- Protecting against DOM XSS:
- Trusted Types is a strong protection against DOM XSS. There is a great
primer at https://web.dev/trusted-types/
- Protecting against Cross-Site Request Forgery, XS-Leaks, Spectre & timing
attacks through site isolation:
- Fetch Metadata. See
https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header#:~:text=A%20fetch%20metadata%20request%20header,not%20be%20modified%20from%20JavaScript.
- Cross-Origin Opener Policy. See https://web.dev/why-coop-coep/
I am somewhat familiar with ASF's general contribution guidelines but if you
would like to point us to any resources that you think will make our
collaboration smoother, I will be happy to share them internally. Tobias'
suggestion on giving some additional context on challenges you've found sounds
great.
We are still at a very early stage of our project, but I will use this thread
to keep you updated on progress & questions.
Cheers!
On Fri, Jun 5, 2020 at 12:12 PM Andrew Kondratev <and...@kondratev.pro> wrote:
On 2020/06/05 10:09:23, Andrew Kondratev <and...@kondratev.pro> wrote:
> >> IMO we should explain that the CSP support has been already added in 9.x
> >> and to close this forgotten JIRA ticket.
> >> Then if they still think there are ways to improve the current
> >> implementation they are very welcome to contribute!
>
> Martin, I did tell it first:
>
> >> Hi Santiago.
> >>
> >> The CSP support has actually improved a lot since then.
> >> Wicket got rid of evals in the code, see here
> https://github.com/apache/wicket/pull/384 /
> https://issues.apache.org/jira/browse/WICKET-6703
> >>
> >> How exactly are you going to boost the work and how can I personally
> help you?
> >>
> >> I'll forward your question to dev@wicket.apache.org
> >>
> >> Cheers,
> >> Andrew
>
> пт, 5 июн. 2020 г. в 18:31, Martin Grigorov <mgrigo...@apache.org>:
>
> > Hi,
> >
> > On Fri, Jun 5, 2020 at 6:17 AM Tobias Soloschenko
> > <tobiassolosche...@googlemail.com.invalid> wrote:
> >
> > > Hi,
> > >
> > > to my opinion they just want to contribute to Wicket. I would simply
> > > explain how the process of contribution works at ASF (PRs, etc.) and give
> > > them some information what challenges we were faced with till now.
> > >
> >
> > IMO we should explain that the CSP support has been already added in 9.x
> > and to close this forgotten JIRA ticket.
> > Then if they still think there are ways to improve the current
> > implementation they are very welcome to contribute!
> >
> > @Andrew feel free to point them to this discussion. One can join at
> >
> > https://lists.apache.org/thread.html/rbd8b1500fff1140d136a08e35cf8c0f5cf200bf8a60b6a58204ef9a7%40%3Cdev.wicket.apache.org%3E
> >
> >
> > >
> > > kind regards
> > >
> > > Tobias
> > >
> > > > Am 05.06.2020 um 02:18 schrieb Andrew Kondratev <and...@kondratev.pro
> > >:
> > > >
> > > > Hi colleagues! I just received this email. Not sure what this all
> > means.
> > > >
> > > > ---------- Forwarded message ---------
> > > > От: Santiago Díaz <sald...@google.com>
> > > > Date: чт, 4 июн. 2020 г. в 21:47
> > > > Subject: Contribution - CSP support for Wicket
> > > > To: <andru...@gmail.com>
> > > >
> > > >
> > > > Hello Andrew,
> > > >
> > > > My name is Santiago, I'm a Security Engineer at Google. I am currently
> > > > making preparations to receive a small group of interns for this
> > summer's
> > > > Google internships and found your email during the course of my
> > research.
> > > >
> > > > *Context*
> > > > Here at Google we have a lot of experience deploying security
> > mechanisms
> > > > (like Content Security Policy, Trusted Types, Fetch Metadata,
> > > Cross-Origin
> > > > Opener Policy and others) at scale. We understand the pains of
> > designing
> > > > strong security policies, finding blockers for their deployment and
> > > > locating pieces of code that need refactoring.
> > > >
> > > > *Why are you receiving this email?*
> > > > For this year's internships (and considering the current global
> > > situation)
> > > > we would like to contribute to selected open source projects, bringing
> > > some
> > > > of our experience to *encourage adoption of some of these security
> > > > enhancements*. Wicket is one of the projects we have shortlisted and
> > we'd
> > > > be happy to collaborate with you!
> > > >
> > > > I found out that there is an ongoing discussion over at
> > > > https://issues.apache.org/jira/browse/WICKET-5406 to improve CSP
> > > support in
> > > > Wicket and that *you have been running some experiments on what that
> > > would
> > > > look like*.
> > > >
> > > > Having said that, it would be great if we could boost your work instead
> > > of
> > > > reinventing the wheel. As such, I would like to know if you'd be open
> > to
> > > > our contributions and if so, whether you'd be willing to give me some
> > > > context on what has been done, what issues you've come across and
> > whether
> > > > you have any thoughts on what would be the best way for us to
> > contribute.
> > > >
> > > > Thank you for reading and I'm looking forward to hearing from you! :)
> > > >
> > > > S.
> > >
> >
>
