[WICKET-7096] stylesheets referenced via automatic linking miss nonce attribute - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0.0-M2
Fix Version/s: 10.0.0, 9.17.0
Component/s: wicket-core
Labels:
None

Description

I am running a Wicket App with:

getCspSettings().blocking();
getMarkupSettings().setAutomaticLinking(true);

I have a base.css file in the same folder as the Wicket page and add it to html like this:

<link rel="stylesheet" href="base.css" type="text/css" />

This is rendered by wicket to

<link rel="stylesheet" href="./wicket/resource/com.example.MyPage/base-ver-1705259207805.css" type="text/css" data-wicket-path="html___autolink__-1754779463"/>

This result in:

Content-Security-Policy: The page’s settings blocked the loading of a resource at http://localhost:8080/wicket/resource/com.example.MyPage/base-ver-1705259207805.css (“style-src”).

-----------------
If I however add the stylesheet programmatically like this:

public void renderHead(final IHeaderResponse response) {
  super.renderHead(response);
  response.render(CssHeaderItem.forReference(new CssResourceReference(MyPage.class, "base.css")));
}

the required nonce is added as expected:

<link rel="stylesheet" href="./wicket/resource/com.example.MyPage/base-ver-1705259207805.css" type="text/css" nonce="Fkg6q7ZOaX_uLN6aFESVwZVM" />

Attachments

Issue Links

links to

GitHub Pull Request #768

Activity

People

Assignee:: Martin Tzvetanov Grigorov

Reporter:: Sebastian T

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 14/Jan/24 19:46

Updated:: 18/Jan/24 08:28

Resolved:: 18/Jan/24 08:28