salcho commented on pull request #442: URL: https://github.com/apache/wicket/pull/442#issuecomment-679951678
> It's a matter of consistency, please see how CSPRequestCycleListener does it. > > We have to take care of naming too: securityInit() is _not_ where 'an application's security is initialized'. Hi @svenmeier! We have updated the name of the method now, thanks for the suggestion! We were just wondering if you could elaborate a bit on what the use case is for changing security configurations at runtime. Do you have any cases where a developer would like to change the set of scripts that are allowed to run or the set of endpoints intended to be used cross-origin at runtime? While I agree that consistency is important, I also think it makes sense to programmatically add listeners that depend on user config. IMHO, the current approach has two downsides: - Listeners get added to the stack regardless of user config, adding latency to the processing of each request even if they don't act on the request in any way (in CSP for instance, the `mustProtect` method is called on every request even if `ContentSecurityPolicySettings` is empty). - Security configurations are not immutable. This is often the source of vulnerabilities because an attacker can usually force a code path that disables/corrupts security mitigations. Typical examples of this are [reflecting origins in CORS headers at runtime](https://hackerone.com/reports/896093), [bypassing CSP when it's built at runtime with user input](https://portswigger.net/research/bypassing-csp-with-policy-injection) or [creating arbitrary redirects on hosts based on user input](https://hackerone.com/reports/210875). Perhaps Wicket has some good reasons why CSP works the way it does currently! If that isn't the case, do you think this could be a good opportunity to improve performance/security? I think having a config-dependent `init` that runs after the user has a chance to configure their app would achieve this! We could keep consistency by moving the adding of the CSP listener to this proposed new `init` too, so that the listener is never added if no CSP has been configured. This would set a nice trend for future listeners. These are principles we've used in other contributions (see Struts' implementation of [COOP](https://github.com/apache/struts/pull/432), [CSP](https://github.com/apache/struts/pull/430) and [Fetch Metadata](https://github.com/apache/struts/pull/426)) and would really like to know if Wicket has use cases where these principles don't apply, so we'd definitely appreciate some feedback! ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
