Have you already read this part of the guide? https://ci.apache.org/projects/wicket/guide/8.x/single.html#_external_security_checks On Mon, Jul 30, 2018 at 3:18 PM Major Péter <majorpe...@gmail.com> wrote: > > Hi, > > I'm trying to write a new Wicket application, and I wanted to use CSP > for added security. It seems like that there are two main issues: > * Wicket's AJAX support is highly dependent on inline and eval'd > JavaScript code > * component visibility is controlled using inline styles > > Is WICKET-5406 going to get some traction anytime soon, or are there > known workarounds for the above issues (like a CSP friendly AJAX > implementation)? > > Alternatively, I was thinking of a couple of ways to overcome these > issues, like: > * trying to use one-off resource references (if possible?) for > individual requests, so that instead of eval'ing, the code could be just > simply loaded instead? > * have a way to generate and retrieve nonces for inline resources and > make sure that Wicket sets the CSP header on its own. > * update Wicket itself to use text/json script elements to load its > configuration and pass JSON objects only for AJAX responses, so that > they no longer need to be eval'd. > > Are these approaches any good? > > Thanks, > Peter > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org >
-- WBR Maxim aka solomax --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org