Skip to content

WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr #1341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
keesvandieren wants to merge 7 commits into
base: master
Choose a base branch
from
Open

WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr #1341

keesvandieren wants to merge 7 commits into from

Conversation

@keesvandieren
Copy link
Contributor

@keesvandieren keesvandieren commented Dec 31, 2025
edited by martin-g
Loading

Those new directives have been added to CSP in 2022 but are not yet available in Wicket

WICKET-7172

@keesvandieren keesvandieren changed the title Add support for script-src-attr, style-src-attr Extend CSP with support for script-src-attr, style-src-attr Dec 31, 2025
martin-g
martin-g approved these changes Jan 2, 2026
View reviewed changes
Copy link
Member

@martin-g martin-g left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a JIRA ticket for the changelog.

@keesvandieren
Copy link
Contributor Author

keesvandieren commented Jan 3, 2026

@martin-g created https://issues.apache.org/jira/browse/WICKET-7172

bitstorm
bitstorm reviewed Jan 3, 2026
View reviewed changes
martin-g
martin-g reviewed Jan 4, 2026
View reviewed changes
@martin-g martin-g changed the title Extend CSP with support for script-src-attr, style-src-attr WICKET-7172: Extend CSP with support for script-src-attr, style-src-attr Jan 5, 2026
martin-g
martin-g reviewed Jan 5, 2026
View reviewed changes
martin-g
martin-g requested changes Jan 5, 2026
View reviewed changes
wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java
{
if (!existingDirectiveValues.isEmpty())
{
throw new IllegalArgumentException("Directive " + this + " supports only one value");
Copy link
Member

@martin-g martin-g Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-attr#source-expression-list those could have multiple values, not just one.

Copy link
Contributor Author

@keesvandieren keesvandieren Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this is true, but in practice only 2 values are allowed: none and 'unsafe inline'. They contradict each other so shouldn't be used together.

Copy link
Member

@martin-g martin-g Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's hear some more opinions from other CSP users.

My personal opinion is that we should follow the standards but I don't have experience in this area.

Copy link
Contributor Author

@keesvandieren keesvandieren Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually you are correct, my implementation doesn't support all allowed values. These should be allowed:

'none'
'unsafe-hashes'
'unsafe-inline'
'report-sample'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-g martin-g martin-g requested changes

@bitstorm bitstorm bitstorm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@keesvandieren @martin-g @bitstorm