Hi, It is not directly related to the changes in this commit but I notice that the CSP settings is a proper citizen in WebApplication, while the new Coop/Coep Configuration classes are members of SecuritySettings. I like the latter better, but it is a bit too late to move CSP into SecuritySettings too. Anyone else being bothered by this inconsistency?
On Thu, Aug 27, 2020 at 8:50 PM <svenme...@apache.org> wrote: > This is an automated email from the ASF dual-hosted git repository. > > svenmeier pushed a commit to branch WICKET-6821-disable-CSP > in repository https://gitbox.apache.org/repos/asf/wicket.git > > commit f1f95dd92e6c559cf5243fdf59e1ec20821df2c0 > Author: Sven Meier <svenme...@apache.org> > AuthorDate: Thu Aug 27 19:49:18 2020 +0200 > > WICKET-6821 disabled CSP > --- > .../wicket/csp/ContentSecurityPolicySettings.java | 8 ++++++++ > .../wicket/protocol/http/WebApplication.java | 6 ++++-- > .../csp/CSPSettingRequestCycleListenerTest.java | 23 > +++++++++++++++++----- > .../head/filter/FilteringHeaderResponseTest.java | 6 ++++++ > 4 files changed, 36 insertions(+), 7 deletions(-) > > diff --git > a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java > b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java > index a768055..7bd1bdd 100644 > --- > a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java > +++ > b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicySettings.java > @@ -183,4 +183,12 @@ public class ContentSecurityPolicySettings > .add(response -> new > CSPNonceHeaderResponseDecorator(response, this)); > application.mount(new ReportCSPViolationMapper(this)); > } > + > + /** > + * Is CSP enabled. > + */ > + public boolean isEnabled() > + { > + return > configs.values().stream().anyMatch(CSPHeaderConfiguration::isSet); > + } > } > diff --git > a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java > b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java > index 22dcc71..d38cadf 100644 > --- > a/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java > +++ > b/wicket-core/src/main/java/org/apache/wicket/protocol/http/WebApplication.java > @@ -760,8 +760,6 @@ public abstract class WebApplication extends > Application > > getAjaxRequestTargetListeners().add(new > AjaxEnclosureListener()); > > - getCspSettings().enforce(this); > - > // Configure the app. > configure(); > if (getConfigurationType() == > RuntimeConfigurationType.DEVELOPMENT) > @@ -782,6 +780,10 @@ public abstract class WebApplication extends > Application > { > super.validateInit(); > > + if (getCspSettings().isEnabled()) { > + getCspSettings().enforce(this); > + } > + > // enable coop and coep listeners if specified in security > settings > CrossOriginOpenerPolicyConfiguration coopConfig = > getSecuritySettings() > .getCrossOriginOpenerPolicyConfiguration(); > diff --git > a/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java > b/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java > index 9679cbc..08a4d36 100644 > --- > a/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java > +++ > b/wicket-core/src/test/java/org/apache/wicket/csp/CSPSettingRequestCycleListenerTest.java > @@ -37,21 +37,34 @@ import java.util.Set; > import java.util.stream.Collectors; > import java.util.stream.Stream; > > -import org.apache.wicket.mock.MockHomePage; > +import org.apache.wicket.mock.MockApplication; > import org.apache.wicket.protocol.http.WebApplication; > import org.apache.wicket.request.cycle.RequestCycle; > import org.apache.wicket.util.tester.DummyHomePage; > import org.apache.wicket.util.tester.WicketTestCase; > -import org.apache.wicket.util.tester.WicketTester; > import org.junit.jupiter.api.Assertions; > import org.junit.jupiter.api.Test; > > public class CSPSettingRequestCycleListenerTest extends WicketTestCase > { > - @Override > - protected WicketTester newWicketTester(WebApplication app) > + @Override > + protected WebApplication newApplication() > { > - return new WicketTester(MockHomePage.class); > + return new MockApplication() > + { > + @Override > + protected ContentSecurityPolicySettings > newCspSettings() > + { > + return new > ContentSecurityPolicySettings(this) > + { > + @Override > + public boolean isEnabled() > + { > + return true; > + } > + }; > + } > + }; > } > > @Test > diff --git > a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java > b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java > index 8adfa94..34c6d8a 100644 > --- > a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java > +++ > b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/FilteringHeaderResponseTest.java > @@ -53,6 +53,12 @@ class FilteringHeaderResponseTest extends WicketTestCase > { > return "NONCE"; > } > + > + @Override > + public boolean isEnabled() > + { > + return true; > + } > }; > } > }; > >