Hi, we're currently using wicket 10.1.0, and trying to implement SRI hashes for 
all the javascript/css modules we use for PCI compliance.   It is easy to 
create the integrity and cross origin values needed when the we have the 
control over the creation of the JavaScriptHeaderItem or 
CssReferenceHeaderItem.  It becomes much more difficult when there are 
resources that are created and then stored in wicket framework classes (whether 
we create or the framework that creates these resource references) and then 
these resources are used LATER within the framework which does the actual 
creation of the header items.

As an example try setting the integrity hash for the  "wicket-ajax-jquery.js" 
file which is referenced from the wicket-core-10.1.0.jar.  This resource is 
created initially through the WicketAjaxJQueryResourceReference class and used 
in the JavaScriptLibrarySettings class.    The call getWicketAjaxReference() 
inside the JavaScriptLibrarySettings is used by the framework in various 
places, and those places create the actual JavaScriptReferenceHeaderItem  (see 
OnDomReadyHeaderItem.getDependencies()  as an example).   If we can add both an 
integrity and cross-origin variables to the definition of a ResourceReference 
class, those values could then be used in the rendering of the 
JavaScriptReferenceHeaderItem.   This can be done by overriding the 
getIntegrity function, so if the header item's integrity value is not defined 
(i.e. null) then use the value defined from the ResourceReference (same would 
go for handling the cross-origin).

The same changes for handling CSS header items, by changing the function 
AbstractCssReferenceHeaderItem. internalRenderCSSReference() to more correctly 
handle integrity and cross origin values  (note that the below code changes 
matches what is already being done in 
AbstractJavaScriptReferenceHeaderItem.internalRenderJavaScriptReference, it 
shouldn't reference the class variables directly but through their accessor 
methods)
                                
attributes.putAttribute(CssUtils.ATTR_CROSS_ORIGIN,
                                                crossOrigin == null ? null : 
crossOrigin.getRealName());
                                
attributes.putAttribute(CssUtils.ATTR_INTEGRITY, integrity);
changes to
                                
attributes.putAttribute(CssUtils.ATTR_CROSS_ORIGIN,
                                                getCrossOrigin() == null ? null 
: getCrossOrigin().getRealName());
                                
attributes.putAttribute(CssUtils.ATTR_INTEGRITY, getIntegrity());

The above would help in solving the calls by the framework internally that 
create the header items, without having to override main framework classes to 
support this need.

In addition to this, another change would be to change the 
JavaScriptLibrarySettings.getWicketAjaxReference() to not return a 
ResourceReference but instead return a JavaScriptReferenceHeaderItem.  It looks 
like in all cases we saw, the framework was just taking the resource reference 
and creating the JavaScriptReferenceHeaderItem.  Again, that way it will give 
more control over the actual header reference at least for this particular 
example mentioned above.   Note that this wouldn't solve the other places that 
use other wicket javascript/css resources.

Thoughts?  Does this sound reasonable and would be something to change in 
wicket?


Reply via email to