Open weber-semedy opened 2 years ago
sebfz1
commented
2 years ago Hi Anna, I also tried strict CSP some times ago and that does not work with templates. I didn't see any workaround for this, the templates have to be in a script tag... Maybe it changed since. any help with the investigation would be appreciated...
weber-semedy
commented
2 years ago Hi @sebfz1 , thanks for confirming.
I believe we could be more compliant here by using our own HeaderItem similar to JavaScriptContentHeaderItem (instead of the current StringHeaderItem which is extended in JQueryTemplateHeaderItem), which should extend AbstractCspHeaderItem. This would ensure that a nonce will be added to , fulfilling a strict CSP script src policy.
sebfz1
commented
2 years ago Thanks Anna, that's interesting! I will try to give it a try, but I'm probably not available before at least 2 weeks... If you want to try it out and submit a PR, you are also very welcome! :)
reiern70
commented
2 years ago @weber-semedy
I will give it a try this week
stekuth
commented
2 years ago I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work
weber-semedy
commented
2 years ago I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work
While it might work, it does not comply with a stricter CSP policy. Check the policy for example in https://csp-evaluator.withgoogle.com/:"'self' can be problematic if you host JSONP, Angular or user uploaded files."
Also, it still does not add any nonce to script tag because StringHeaderItem is used.
We are currently in the process of introducing a strict CSP policy for script src (CspSettings ->
add(SCRIPT_SRC, NONCE)as was introduced with Wicket 9. In our codebase we have some components making use ofAutoCompleteTextField. Browser (Firefox, 101.0.1) is reporting CSP violations and templates are no longer working as a result of enforcing the strict policy for scripts.For example: