wicket-jquery-ui icon indicating copy to clipboard operation
wicket-jquery-ui copied to clipboard

Published 20 hours ago verified publisher icon sebfz1

CSP violations when using AutoCompleteTextField

Open weber-semedy opened this issue 2 years ago • 6 comments

We are currently in the process of introducing a strict CSP policy for script src (CspSettings -> add(SCRIPT_SRC, NONCE) as was introduced with Wicket 9. In our codebase we have some components making use of AutoCompleteTextField. Browser (Firefox, 101.0.1) is reporting CSP violations and templates are no longer working as a result of enforcing the strict policy for scripts.

For example:

{"csp-report":{"blocked-uri":"eval","column-number":3530,"document-uri":"http://localhost:8080/myPage","line-number":10,"original-policy":"default-src 'none'; script-src 'nonce-ZZRfM1MVULUro_AKuUj2xXx1'; style-src 'unsafe-inline' 'nonce-ZZRfM1MVULUro_AKuUj2xXx1'; img-src *; connect-src 'self'; font-src 'self'; child-src 'self'; base-uri 'self'; frame-src 'self'; report-uri http://localhost:8080/myPage/cspviolations","referrer":"http://localhost:8080/myPage","source-file":"http://localhost:8080/myPage/wicket/resource/com.googlecode.wicket.jquery.ui.template.JQueryTemplateBehavior/jquery.tmpl.min-ver-805C7DC322A386178B37DAB79295445A.js","violated-directive":"script-src"}}

weber-semedy avatar Jul 01 '22 08:07 weber-semedy

Hi Anna, I also tried strict CSP some times ago and that does not work with templates. I didn't see any workaround for this, the templates have to be in a script tag... Maybe it changed since. any help with the investigation would be appreciated...

sebfz1 avatar Jul 01 '22 14:07 sebfz1

Hi @sebfz1 , thanks for confirming.

I believe we could be more compliant here by using our own HeaderItem similar to JavaScriptContentHeaderItem (instead of the current StringHeaderItem which is extended in JQueryTemplateHeaderItem), which should extend AbstractCspHeaderItem. This would ensure that a nonce will be added to , fulfilling a strict CSP script src policy.

weber-semedy avatar Jul 04 '22 11:07 weber-semedy

Thanks Anna, that's interesting! I will try to give it a try, but I'm probably not available before at least 2 weeks... If you want to try it out and submit a PR, you are also very welcome! :)

sebfz1 avatar Jul 04 '22 12:07 sebfz1

@weber-semedy

I will give it a try this week

reiern70 avatar Jul 04 '22 12:07 reiern70

I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work

stekuth avatar Jul 04 '22 13:07 stekuth

I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work

While it might work, it does not comply with a stricter CSP policy. Check the policy for example in https://csp-evaluator.withgoogle.com/: "'self' can be problematic if you host JSONP, Angular or user uploaded files." Also, it still does not add any nonce to script tag because StringHeaderItem is used.

weber-semedy avatar Jul 05 '22 05:07 weber-semedy