[ https://issues.apache.org/jira/browse/WICKET-6813?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emond Papegaaij closed WICKET-6813. ----------------------------------- Resolution: Duplicate > Setting child-src does not update frame-src after initial assignment > -------------------------------------------------------------------- > > Key: WICKET-6813 > URL: https://issues.apache.org/jira/browse/WICKET-6813 > Project: Wicket > Issue Type: Bug > Components: wicket-core > Affects Versions: 9.0.0-M5, 9.0.0 > Reporter: Mark Snijder > Priority: Minor > > When configuring CHILD_SRC Wicket also configures FRAME_SRC > ([CSPHeaderConfiguration.doAddDirective|https://github.com/apache/wicket/blob/bef3facb3b240f60a3455f257eaf1b9db81a9e29/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java#L310]) > however it only does this when FRAME_SRC is not set. > Since _unsafeInline()_ sets CHILD_SRC to 'self', adding other CHILD_SRC > directive values will not update the FRAME_SRC value anymore. The CSP > settings in the code below causes a _Refused to frame > 'https://docs.google.com/' because it violates the following Content Security > Policy directive: "frame-src 'self'"._ error. > {code:java} > getCspSettings().blocking() > .unsafeInline() > .add(CSPDirective.SCRIPT_SRC, "https://apis.google.com/") > .add(CSPDirective.CHILD_SRC, "https://docs.google.com/"); > {code} > A workaround is to add FRAME_SRC yourself manually to the code above > (_.add(CSPDirective.FRAME_SRC, "https://docs.google.com/")_) but I would have > expected the code to work without adding this. -- This message was sent by Atlassian Jira (v8.3.4#803005)