Open weber-semedy opened 2 years ago
Hi Anna, I also tried strict CSP some times ago and that does not work with templates. I didn't see any workaround for this, the templates have to be in a script tag... Maybe it changed since. any help with the investigation would be appreciated...
Hi @sebfz1 , thanks for confirming.
I believe we could be more compliant here by using our own HeaderItem
similar to JavaScriptContentHeaderItem
(instead of the current StringHeaderItem
which is extended in JQueryTemplateHeaderItem
), which should extend AbstractCspHeaderItem
. This would ensure that a nonce will be added to , fulfilling a strict CSP script src policy.
Thanks Anna, that's interesting! I will try to give it a try, but I'm probably not available before at least 2 weeks... If you want to try it out and submit a PR, you are also very welcome! :)
@weber-semedy
I will give it a try this week
I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work
I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work
While it might work, it does not comply with a stricter CSP policy. Check the policy for example in https://csp-evaluator.withgoogle.com/:"'self' can be problematic if you host JSONP, Angular or user uploaded files."
Also, it still does not add any nonce to script tag because StringHeaderItem
is used.
We are currently in the process of introducing a strict CSP policy for script src (CspSettings ->
add(SCRIPT_SRC, NONCE)
as was introduced with Wicket 9. In our codebase we have some components making use ofAutoCompleteTextField
. Browser (Firefox, 101.0.1) is reporting CSP violations and templates are no longer working as a result of enforcing the strict policy for scripts.For example: