Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
None
Description
A better support of the Content Security Policy (http://en.wikipedia.org/wiki/Content_Security_Policy) would protect against cross-site scripting attacks and improve the security image of wicket.
The main problem at the moment is the heavily used inline javascript code which interferes with the whitelisting mechanism of script sources in the CSP and should be avoided .
Attachments
Issue Links
- is a parent of
-
WICKET-6682 Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce
- Resolved
- is related to
-
WICKET-6832 CSP support in Java 8
- Resolved
-
WICKET-6821 Completely disable CSP support
- Resolved