Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
10.0.0-M2
-
None
Description
I am running a Wicket App with:
getCspSettings().blocking();
getMarkupSettings().setAutomaticLinking(true);
I have a base.css file in the same folder as the Wicket page and add it to html like this:
<link rel="stylesheet" href="base.css" type="text/css" />
This is rendered by wicket to
<link rel="stylesheet" href="./wicket/resource/com.example.MyPage/base-ver-1705259207805.css" type="text/css" data-wicket-path="html___autolink__-1754779463"/>
This result in:
Content-Security-Policy: The page’s settings blocked the loading of a resource at http://localhost:8080/wicket/resource/com.example.MyPage/base-ver-1705259207805.css (“style-src”).
-----------------
If I however add the stylesheet programmatically like this:
public void renderHead(final IHeaderResponse response) { super.renderHead(response); response.render(CssHeaderItem.forReference(new CssResourceReference(MyPage.class, "base.css"))); }
the required nonce is added as expected:
<link rel="stylesheet" href="./wicket/resource/com.example.MyPage/base-ver-1705259207805.css" type="text/css" nonce="Fkg6q7ZOaX_uLN6aFESVwZVM" />
Attachments
Issue Links
- links to