salcho commented on pull request #442:
URL: https://github.com/apache/wicket/pull/442#issuecomment-679951678


   > It's a matter of consistency, please see how CSPRequestCycleListener does 
it.
   > 
   > We have to take care of naming too: securityInit() is _not_ where 'an 
application's security is initialized'.
   
   Hi @svenmeier!
   
   We have updated the name of the method now, thanks for the suggestion! We 
were just wondering if you could elaborate a bit on what the use case is for 
changing security configurations at runtime. Do you have any cases where a 
developer would like to change the set of scripts that are allowed to run or 
the set of endpoints intended to be used cross-origin at runtime? 
   
   While I agree that consistency is important, I also think it makes sense to 
programmatically add listeners that depend on user config. IMHO, the current 
approach has two downsides:
   
   - Listeners get added to the stack regardless of user config, adding latency 
to the processing of each request even if they don't act on the request in any 
way (in CSP for instance, the `mustProtect` method is called on every request 
even if `ContentSecurityPolicySettings` is empty).
   
   - Security configurations are not immutable. This is often the source of 
vulnerabilities because an attacker can usually force a code path that 
disables/corrupts security mitigations. Typical examples of this are 
[reflecting origins in CORS headers at 
runtime](https://hackerone.com/reports/896093), [bypassing CSP when it's built 
at runtime with user 
input](https://portswigger.net/research/bypassing-csp-with-policy-injection) or 
[creating arbitrary redirects on hosts based on user 
input](https://hackerone.com/reports/210875). 
   
   Perhaps Wicket has some good reasons why CSP works the way it does 
currently! If that isn't the case, do you think this could be a good 
opportunity to improve performance/security? I think having a config-dependent 
`init` that runs after the user has a chance to configure their app would 
achieve this! 
   
   We could keep consistency by moving the adding of the CSP listener to this 
proposed new `init` too, so that the listener is never added if no CSP has been 
configured. This would set a nice trend for future listeners.
   
   These are principles we've used in other contributions (see Struts' 
implementation of [COOP](https://github.com/apache/struts/pull/432), 
[CSP](https://github.com/apache/struts/pull/430) and [Fetch 
Metadata](https://github.com/apache/struts/pull/426)) and would really like to 
know if Wicket has use cases where these principles don't apply, so we'd 
definitely appreciate some feedback!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Reply via email to