PRs are welcome :))) sources for the guide are located here:
https://github.com/apache/wicket/tree/master/wicket-user-guide/src/main/asciidoc
Ajax components requires 'unsafe-inline' 'unsafe-eval', not sure how
this can be fixed :(
On Wed, Aug 1, 2018 at 2:32 PM Major Péter wrote:
>
> Hi,
>
> In
Hi,
In that case I would suggest default-src 'self' as a better starting
point. The problem remains though, if one uses Ajax and/or has
placeholder tags for invisible components, one must have at least:
Content-Security-Policy: script-src 'self' 'unsafe-inline'
'unsafe-eval'; style-src 'self'
Hello Peter,
I also believe the general rule should be: deny All then allow one-by-one
but this is general principle, the guide describing some configuration
you can start with :)
On Mon, Jul 30, 2018 at 3:50 PM Major Péter wrote:
>
> Hi,
>
> thanks, I haven't seen that one yet (I'm coming back t
Hi,
thanks, I haven't seen that one yet (I'm coming back to Wicket after ~8
years, so I was still thinking that Confluence was the source of truth).
Reading through the section I don't feel that the suggestion there is
appropriate:
* using default-src https: allows to do pretty much anything
Have you already read this part of the guide?
https://ci.apache.org/projects/wicket/guide/8.x/single.html#_external_security_checks
On Mon, Jul 30, 2018 at 3:18 PM Major Péter wrote:
>
> Hi,
>
> I'm trying to write a new Wicket application, and I wanted to use CSP
> for added security. It seems li
Hi,
I'm trying to write a new Wicket application, and I wanted to use CSP
for added security. It seems like that there are two main issues:
* Wicket's AJAX support is highly dependent on inline and eval'd
JavaScript code
* component visibility is controlled using inline styles
Is WICKET-5406