Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP violations when using AutoCompleteTextField #347

Open
weber-semedy opened this issue Jul 1, 2022 · 6 comments
Open

CSP violations when using AutoCompleteTextField #347

weber-semedy opened this issue Jul 1, 2022 · 6 comments

Comments

@weber-semedy
Copy link

We are currently in the process of introducing a strict CSP policy for script src (CspSettings -> add(SCRIPT_SRC, NONCE) as was introduced with Wicket 9.
In our codebase we have some components making use of AutoCompleteTextField. Browser (Firefox, 101.0.1) is reporting CSP violations and templates are no longer working as a result of enforcing the strict policy for scripts.

For example:

{"csp-report":{"blocked-uri":"eval","column-number":3530,"document-uri":"http://localhost:8080/myPage","line-number":10,"original-policy":"default-src 'none'; script-src 'nonce-ZZRfM1MVULUro_AKuUj2xXx1'; style-src 'unsafe-inline' 'nonce-ZZRfM1MVULUro_AKuUj2xXx1'; img-src *; connect-src 'self'; font-src 'self'; child-src 'self'; base-uri 'self'; frame-src 'self'; report-uri http://localhost:8080/myPage/cspviolations","referrer":"http://localhost:8080/myPage","source-file":"http://localhost:8080/myPage/wicket/resource/com.googlecode.wicket.jquery.ui.template.JQueryTemplateBehavior/jquery.tmpl.min-ver-805C7DC322A386178B37DAB79295445A.js","violated-directive":"script-src"}}
@sebfz1
Copy link
Owner

sebfz1 commented Jul 1, 2022 via email

@weber-semedy
Copy link
Author

Hi @sebfz1 , thanks for confirming.

I believe we could be more compliant here by using our own HeaderItem similar to JavaScriptContentHeaderItem (instead of the current StringHeaderItem which is extended in JQueryTemplateHeaderItem), which should extend AbstractCspHeaderItem. This would ensure that a nonce will be added to <script></script>, fulfilling a strict CSP script src policy.

@sebfz1
Copy link
Owner

sebfz1 commented Jul 4, 2022 via email

@reiern70
Copy link

reiern70 commented Jul 4, 2022

@weber-semedy

I will give it a try this week

@stekuth
Copy link

stekuth commented Jul 4, 2022

I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work

@weber-semedy
Copy link
Author

I also use CSP-NONCE and had to .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF) to make it work

While it might work, it does not comply with a stricter CSP policy. Check the policy for example in https://csp-evaluator.withgoogle.com/:` "'self' can be problematic if you host JSONP, Angular or user uploaded files."Also, it still does not add any nonce to script tag becauseStringHeaderItem` is used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@reiern70 @sebfz1 @weber-semedy @stekuth