inception icon indicating copy to clipboard operation
inception copied to clipboard

Published 20 hours ago verified publisher icon inception-project

Enable Wicket CSP

Open reckart opened this issue 4 years ago • 2 comments

Describe the refactoring action Wicket since some time has support for CSP measures. Currently, we have disabled them because there are parts of the code which do not comply with the rules. We need to look into these and fix them (e.g. avoid inline JS and inline CSS).

Expected benefit Ability to turn on modern CSP measures and remain compatible with browsers.

reckart avatar May 18 '21 07:05 reckart

Actually, it turns out that Kendo us auto-activating CSP although with unsafe eval and unsafe inline. However, there are JS libraries (e.g. probably Kendo but also the Bootstrap Fileinput) that won't work without these settings... so we probably cannot further nail CSP down.

webApplication.getCspSettings().blocking() // lf
  .add(CSPDirective.STYLE_SRC, CSPDirectiveSrcValue.UNSAFE_INLINE) // lf
  .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.UNSAFE_EVAL);

reckart avatar Jun 22 '21 11:06 reckart

Kendo set's it up, but yeah...then we disable it again and we shouldn't...

reckart avatar Jun 22 '21 14:06 reckart

Tried setting CSP up slightly better than not enabling it at all.

reckart avatar Nov 09 '22 20:11 reckart