oops my goof,
it seemed that
[Report Only] Refused to load the script
'http://localhost:8080/wicket/resource/com.test.MyPage/myPage-ver-1764644245913.js'
because it violates the following Content Security Policy directive:
"script-src-elem 'none'".
is just a warning, debugging javascript in the browser show that the bug
is in the js codes itself.
On 02/12/2025 16:21, andrew goh wrote:
hi,
I'm confronting an issue that I'm not sure how to resolve short of
perhaps changing the wicket core code related to CSP directive
script-src-elem.
I'm currently using Apache Wicket 9.x, and it generates a CSP header
as like:
Content-Security-Policy : default-src 'none'; script-src
'strict-dynamic' 'nonce-sqPrL7IoGxg7lu_zuU8R3Kpv' 'self' localhost
localhost:8080; style-src 'nonce-sqPrL7IoGxg7lu_zuU8R3Kpv' 'self'
https://fonts.googleapis.com/css; img-src 'self'; connect-src 'self';
font-src 'self' https://fonts.gstatic.com; manifest-src 'self';
child-src 'self'; base-uri 'self'; frame-src 'self'
the localhost and self entries for script-src directive are added in
init() via
getCspSettings().blocking().add(CSPDirective.SCRIPT_SRC, "'self'");
etc.
however, I'm getting an error in Chrome (v123) (old not the latest)
[Report Only] Refused to load the script
'http://localhost:8080/wicket/resource/com.test.MyPage/myPage-ver-1764644245913.js'
because it violates the following Content Security Policy directive:
"script-src-elem 'none'".
A page describing script-src-elem CSP directive is here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-elem
If you review the Wicket 9 generated CSP header, script-src-elem
actually isn't specified, but that Chrome enforces it with
script-src-elem 'none'
which prevent any javascript from being loaded.
Currently, this script-src-elem directive is not in the source (and
neither is it in earlier releases e.g. v9)
https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
And that as it is an enum, it can't be subclassed.
I tried doing say in my Page like
WebResponse webResponse = (WebResponse)
getRequestCycle().getResponse();
webResponse.addHeader("Content-Security-Policy",
"script-src-elem 'self' ; script-src 'self'");
say in onBeforeRender(), however, while debugging it, I noted that the
CSP header is overridden later in CSPRequestCycleListener.
hence, currently, I've no means to run the javascripts linked in the
page.
Thanks much in advance for any help.
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
