Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6813

Setting child-src does not update frame-src after initial assignment

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 9.0.0-M5, 9.0.0
    • 9.1.0
    • wicket-core
    • None

    Description

      When configuring CHILD_SRC Wicket also configures FRAME_SRC (CSPHeaderConfiguration.doAddDirective) however it only does this when FRAME_SRC is not set.

      Since unsafeInline() sets CHILD_SRC to 'self', adding other CHILD_SRC directive values will not update the FRAME_SRC value anymore. The CSP settings in the code below causes a Refused to frame 'https://docs.google.com/' because it violates the following Content Security Policy directive: "frame-src 'self'". error.

       getCspSettings().blocking()
	.unsafeInline()
	.add(CSPDirective.SCRIPT_SRC, "https://apis.google.com/")
	.add(CSPDirective.CHILD_SRC, "https://docs.google.com/");

      A workaround is to add FRAME_SRC yourself manually to the code above (.add(CSPDirective.FRAME_SRC, "https://docs.google.com/")) but I would have expected the code to work without adding this.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. WICKET-6812 CSPHeaderConfiguration only copies first value from child-src to frame-src

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              papegaaij Emond Papegaaij
              msnijder Mark Snijder
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: