Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
None
-
None
-
None
Description
Each Wicket component should be able to add/remove its own CSP (Content-Security-Policy) rules to the Page and their Response header currently rendered.
Following the description in https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp all CSP rules are managed via Application settings (class ContentSecurityPolicySettings).
Currently you are able to add/remove key-value-pairs to the CSP header configuration for a specific Component (or even Behavior class) at any time, e.g.
WebApplication.get().getCspSettings().getConfiguration().get(...).add(key, value)
or
WebApplication.get().getCspSettings().getConfiguration().get(...).remove(key, value)
But as developer I would expect a more sophisticated way with some hook methods, e.g.
public void addCSPDirectives(final CSPHeaderConfiguration configuration) { blocking.add(CSPDirective.SCRIPT_SRC, new FixedCSPValue("www.foo.com")); blocking.add(CSPDirective.STYLE_SRC, UNSAFE_INLINE); };
where each of these directives are rendered into the response header without caring how this is done. Each of these directives shoud only be rendered when the component is visible. After the rendering process, the added directives are automatically removed from the map (ContentSecurityPolicySettings#configs).