CSP in Wicket 9
Hi all, For the past few days I've been experimenting with the new CSP features in Wicket 9. I really want to thank Andrew, Sven and Martin for the great work you guys did in making this possible. I'm getting very close to running my application with a very tight and secure CSP. Unfortunately, some parts of Wicket still use inline styling and scripting. So far I've found the following two issues: * hidden components with setOutputMarkupPlaceholderTag(true) have display:none * Forms render inline styling and javascript in some cases to improve submit handling I think we should try to fix these before Wicket 9 is released. I will continue to debug our application to see if there are more places. At Topicus we wrote a IRequestCycleListener that applies the CSP automatically to every request via HTTP headers. The API makes it easy to configure the CSP. I've added support for the nonce as well. It uses a new nonce for every request, which should be more secure than a nonce bound to a session. I'll discuss with my employee next week if we can donate this code to Wicket. Best regards, Emond
Re: [ANNOUNCE] WicketStuff 9.0.0-M4 Released
Thanks Andrea, Wicket is significant part of my life :) I'll try to do as much as I can :) On Sat, 11 Jan 2020 at 19:52, Andrea Del Bene wrote: > Thanks Maxim for your effort with WicketStuff! > > On Sat, Jan 11, 2020, 9:27 AM Maxim Solodovnik > wrote: > > > WicketStuff core 9.0.0-M4 based on Apache Wicket 9.0.0-M4 is released > > and soon will be available at Maven Central! > > > > The changelog is: > > > > Maxim Solodovnik (11): > > Tests command is added to improve OracleJDK detection > > Java vendor detection is updated > > Switching to the next development version > > Build should be fixed > > HazelcastDataSource is fixed to use correct serializer > > Tests are updated > > jackson-databind is updated > > Better implementation of serializer injection > > Libraries are updated > > Redundant trailing spaces are removed > > wicketstuff-core-9.0.0-M4 is released > > > > Andrea Del Bene (6): > > Response content type set as first step. > > updated jackson library to resolve security alert. > > Update readme.md > > Merge pull request #683 from > > > > > wicketstuff/dependabot/maven/com.fasterxml.jackson.core-jackson-databind-2.9.10.1 > > Update readme.md > > Update readme.md > > > > Sven Meier (3): > > updated readme, added static getter > > WICKET-6708 use post parameters > > WICKET-6148 removed on prefix > > > > Martin Tzvetanov Grigorov (2): > > Upgrade Scala to 2.13.1 > > Bump Hamcrest to 2.2 > > > > Thorsten Schöning (2): > > URL.getFile doesn't decode paths in file-URLs in case spaces are > > used. (#678) > > JamonMonitoredRequestCycleTest fails on Windows in case JVMs are > > reused. (#679) > > > > Christoph Jost (1): > > fix for list flattening #685 > > > > dependabot[bot] (1): > > Bump jackson-databind from 2.9.10 to 2.9.10.1 > > > > xzr (1): > > reintroduce dispatchToNonVisibleComponents > > > > > > The WicketStuff team > > > -- WBR Maxim aka solomax
Re: [ANNOUNCE] WicketStuff 9.0.0-M4 Released
Thanks Maxim for your effort with WicketStuff! On Sat, Jan 11, 2020, 9:27 AM Maxim Solodovnik wrote: > WicketStuff core 9.0.0-M4 based on Apache Wicket 9.0.0-M4 is released > and soon will be available at Maven Central! > > The changelog is: > > Maxim Solodovnik (11): > Tests command is added to improve OracleJDK detection > Java vendor detection is updated > Switching to the next development version > Build should be fixed > HazelcastDataSource is fixed to use correct serializer > Tests are updated > jackson-databind is updated > Better implementation of serializer injection > Libraries are updated > Redundant trailing spaces are removed > wicketstuff-core-9.0.0-M4 is released > > Andrea Del Bene (6): > Response content type set as first step. > updated jackson library to resolve security alert. > Update readme.md > Merge pull request #683 from > > wicketstuff/dependabot/maven/com.fasterxml.jackson.core-jackson-databind-2.9.10.1 > Update readme.md > Update readme.md > > Sven Meier (3): > updated readme, added static getter > WICKET-6708 use post parameters > WICKET-6148 removed on prefix > > Martin Tzvetanov Grigorov (2): > Upgrade Scala to 2.13.1 > Bump Hamcrest to 2.2 > > Thorsten Schöning (2): > URL.getFile doesn't decode paths in file-URLs in case spaces are > used. (#678) > JamonMonitoredRequestCycleTest fails on Windows in case JVMs are > reused. (#679) > > Christoph Jost (1): > fix for list flattening #685 > > dependabot[bot] (1): > Bump jackson-databind from 2.9.10 to 2.9.10.1 > > xzr (1): > reintroduce dispatchToNonVisibleComponents > > > The WicketStuff team >
[ANNOUNCE] WicketStuff 9.0.0-M4 Released
WicketStuff core 9.0.0-M4 based on Apache Wicket 9.0.0-M4 is released and soon will be available at Maven Central! The changelog is: Maxim Solodovnik (11): Tests command is added to improve OracleJDK detection Java vendor detection is updated Switching to the next development version Build should be fixed HazelcastDataSource is fixed to use correct serializer Tests are updated jackson-databind is updated Better implementation of serializer injection Libraries are updated Redundant trailing spaces are removed wicketstuff-core-9.0.0-M4 is released Andrea Del Bene (6): Response content type set as first step. updated jackson library to resolve security alert. Update readme.md Merge pull request #683 from wicketstuff/dependabot/maven/com.fasterxml.jackson.core-jackson-databind-2.9.10.1 Update readme.md Update readme.md Sven Meier (3): updated readme, added static getter WICKET-6708 use post parameters WICKET-6148 removed on prefix Martin Tzvetanov Grigorov (2): Upgrade Scala to 2.13.1 Bump Hamcrest to 2.2 Thorsten Schöning (2): URL.getFile doesn't decode paths in file-URLs in case spaces are used. (#678) JamonMonitoredRequestCycleTest fails on Windows in case JVMs are reused. (#679) Christoph Jost (1): fix for list flattening #685 dependabot[bot] (1): Bump jackson-databind from 2.9.10 to 2.9.10.1 xzr (1): reintroduce dispatchToNonVisibleComponents The WicketStuff team
