From 792a01f4f3263ccd7edf287d8ec6a4e74519faa0 Mon Sep 17 00:00:00 2001 From: Kees van Dieren Date: Wed, 31 Dec 2025 10:58:44 +0100 Subject: [PATCH 1/7] Add support for script-src-attr, style-src-attr --- .../org/apache/wicket/csp/CSPDirective.java | 25 ++++++++-- .../apache/wicket/csp/CSPDirectiveTest.java | 47 +++++++++++++++++++ 2 files changed, 67 insertions(+), 5 deletions(-) create mode 100644 wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java index 235358a02f6..8f71f7f377a 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java @@ -35,7 +35,12 @@ public enum CSPDirective { DEFAULT_SRC("default-src"), SCRIPT_SRC("script-src"), + SCRIPT_SRC_ATTR("script-src-attr"), + SCRIPT_SRC_ELEM("script-src-elem"), + SRC("src"), STYLE_SRC("style-src"), + STYLE_SRC_ATTR("style-src-attr"), + STYLE_SRC_ELEM("style-src-elem"), IMG_SRC("img-src"), CONNECT_SRC("connect-src"), FONT_SRC("font-src"), @@ -121,7 +126,7 @@ public void checkValueForDirective(CSPRenderable value, } }; - private String value; + private final String value; CSPDirective(String value) { @@ -135,7 +140,7 @@ public String getValue() /** * Check if {@code value} can be added to the list of other values. By default, it checks for - * conflicts with wildcards and none and it checks if values are valid uris. + * conflicts with wildcards and none, and it checks if values are valid uris. * * @param value * The value to add. @@ -147,6 +152,16 @@ public String getValue() public void checkValueForDirective(CSPRenderable value, List existingDirectiveValues) { + if (this == SCRIPT_SRC_ATTR || this == STYLE_SRC_ATTR) { + if (!existingDirectiveValues.isEmpty()) { + throw new IllegalArgumentException("Directive " + this + " supports only one value"); + } + + if (!(value == CSPDirectiveSrcValue.NONE || value == CSPDirectiveSrcValue.UNSAFE_INLINE)) { + throw new IllegalArgumentException("Unsupported directive value: " + value + " for -src-attr directive"); + } + } + if (!existingDirectiveValues.isEmpty()) { if (CSPDirectiveSrcValue.WILDCARD.equals(value) @@ -185,11 +200,11 @@ public static CSPDirective fromValue(String value) { return null; } - for (int i = 0; i < values().length; i++) + for (CSPDirective directive : values()) { - if (value.equals(values()[i].getValue())) + if (value.equals(directive.getValue())) { - return values()[i]; + return directive; } } return null; diff --git a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java new file mode 100644 index 00000000000..d6ad5f7db4d --- /dev/null +++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.wicket.csp; + +import org.junit.jupiter.api.Test; + +import java.util.List; + +import static org.junit.jupiter.api.Assertions.assertThrows; + +class CSPDirectiveTest { + + @Test + void scriptSrcAttrAndStyleSrcAttributesSupportValues() { + CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of()); + CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of()); + CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of()); + CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of()); + } + + @Test + void scriptSrcAttrAndStyleSrcAttributesOnlySupportOneValue() { + assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); + assertThrows(IllegalArgumentException.class, () -> CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); + } + + @Test + void scriptSrcAttrAndStyleSrcAttributesOnlySupportNoneAndUnsafeInline() { + assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.SELF, List.of())); + assertThrows(IllegalArgumentException.class, () -> CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.WILDCARD, List.of())); + } + +} \ No newline at end of file From 4599c9de2e6d3317317a393d8bf22b2960ec04cb Mon Sep 17 00:00:00 2001 From: Andrea Del Bene Date: Sun, 4 Jan 2026 17:53:24 +0100 Subject: [PATCH 2/7] Fixed brackets indentation --- .../main/java/org/apache/wicket/csp/CSPDirective.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java index 8f71f7f377a..29efd894781 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java @@ -152,12 +152,15 @@ public String getValue() public void checkValueForDirective(CSPRenderable value, List existingDirectiveValues) { - if (this == SCRIPT_SRC_ATTR || this == STYLE_SRC_ATTR) { - if (!existingDirectiveValues.isEmpty()) { + if (this == SCRIPT_SRC_ATTR || this == STYLE_SRC_ATTR) + { + if (!existingDirectiveValues.isEmpty()) + { throw new IllegalArgumentException("Directive " + this + " supports only one value"); } - if (!(value == CSPDirectiveSrcValue.NONE || value == CSPDirectiveSrcValue.UNSAFE_INLINE)) { + if (!(value == CSPDirectiveSrcValue.NONE || value == CSPDirectiveSrcValue.UNSAFE_INLINE)) + { throw new IllegalArgumentException("Unsupported directive value: " + value + " for -src-attr directive"); } } From 1b637a2f9284fef347a84c58cef64b5d0b629cca Mon Sep 17 00:00:00 2001 From: Andrea Del Bene Date: Sun, 4 Jan 2026 18:44:11 +0100 Subject: [PATCH 3/7] Fixed brackets indentation --- .../java/org/apache/wicket/csp/CSPDirectiveTest.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java index d6ad5f7db4d..98569977928 100644 --- a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java @@ -25,7 +25,8 @@ class CSPDirectiveTest { @Test - void scriptSrcAttrAndStyleSrcAttributesSupportValues() { + void scriptSrcAttrAndStyleSrcAttributesSupportValues() + { CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of()); CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of()); CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of()); @@ -33,15 +34,17 @@ void scriptSrcAttrAndStyleSrcAttributesSupportValues() { } @Test - void scriptSrcAttrAndStyleSrcAttributesOnlySupportOneValue() { + void scriptSrcAttrAndStyleSrcAttributesOnlySupportOneValue() + { assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); assertThrows(IllegalArgumentException.class, () -> CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); } @Test - void scriptSrcAttrAndStyleSrcAttributesOnlySupportNoneAndUnsafeInline() { + void scriptSrcAttrAndStyleSrcAttributesOnlySupportNoneAndUnsafeInline() + { assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.SELF, List.of())); assertThrows(IllegalArgumentException.class, () -> CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.WILDCARD, List.of())); } -} \ No newline at end of file +} From e006b91948549b6602037db7846772d22d8f885c Mon Sep 17 00:00:00 2001 From: Andrea Del Bene Date: Sun, 4 Jan 2026 19:22:09 +0100 Subject: [PATCH 4/7] refactor for logic condition --- .../src/main/java/org/apache/wicket/csp/CSPDirective.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java index 29efd894781..1b56e4600ee 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java @@ -159,7 +159,7 @@ public void checkValueForDirective(CSPRenderable value, throw new IllegalArgumentException("Directive " + this + " supports only one value"); } - if (!(value == CSPDirectiveSrcValue.NONE || value == CSPDirectiveSrcValue.UNSAFE_INLINE)) + if (value != CSPDirectiveSrcValue.NONE && value != CSPDirectiveSrcValue.UNSAFE_INLINE) { throw new IllegalArgumentException("Unsupported directive value: " + value + " for -src-attr directive"); } From d3aa4af65e3ede4cd68a291db341181344f8d86b Mon Sep 17 00:00:00 2001 From: Kees van Dieren Date: Mon, 5 Jan 2026 09:09:12 +0100 Subject: [PATCH 5/7] Drop unsupported directive Not listed here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy --- .../src/main/java/org/apache/wicket/csp/CSPDirective.java | 1 - 1 file changed, 1 deletion(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java index 1b56e4600ee..1517ef8caa1 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java @@ -37,7 +37,6 @@ public enum CSPDirective SCRIPT_SRC("script-src"), SCRIPT_SRC_ATTR("script-src-attr"), SCRIPT_SRC_ELEM("script-src-elem"), - SRC("src"), STYLE_SRC("style-src"), STYLE_SRC_ATTR("style-src-attr"), STYLE_SRC_ELEM("style-src-elem"), From 738e9179b746872377bbfec82ebc82943a233cdb Mon Sep 17 00:00:00 2001 From: Martin Tzvetanov Grigorov Date: Mon, 5 Jan 2026 10:17:54 +0200 Subject: [PATCH 6/7] WICKET-7172: Improve the unit tests --- .../org/apache/wicket/csp/CSPDirectiveTest.java | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java index 98569977928..1d13dace910 100644 --- a/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/csp/CSPDirectiveTest.java @@ -36,15 +36,23 @@ void scriptSrcAttrAndStyleSrcAttributesSupportValues() @Test void scriptSrcAttrAndStyleSrcAttributesOnlySupportOneValue() { - assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); - assertThrows(IllegalArgumentException.class, () -> CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); + assertThrows(IllegalArgumentException.class, () -> + CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.NONE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); + assertThrows(IllegalArgumentException.class, () -> + CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.UNSAFE_INLINE, List.of(CSPDirectiveSrcValue.UNSAFE_INLINE))); } @Test void scriptSrcAttrAndStyleSrcAttributesOnlySupportNoneAndUnsafeInline() { - assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.SELF, List.of())); - assertThrows(IllegalArgumentException.class, () -> CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(CSPDirectiveSrcValue.WILDCARD, List.of())); + for (CSPDirectiveSrcValue value : CSPDirectiveSrcValue.values()) { + if (value == CSPDirectiveSrcValue.NONE || value == CSPDirectiveSrcValue.UNSAFE_INLINE) { + CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(value, List.of()); + CSPDirective.STYLE_SRC_ATTR.checkValueForDirective(value, List.of()); + } else { + assertThrows(IllegalArgumentException.class, () -> CSPDirective.SCRIPT_SRC_ATTR.checkValueForDirective(value, List.of())); + } + } } } From 766dbb3d7e22c94a9b346458e2dc6e69ae45ee64 Mon Sep 17 00:00:00 2001 From: Martin Grigorov Date: Mon, 5 Jan 2026 10:40:53 +0200 Subject: [PATCH 7/7] Use equals() to compare the values --- .../src/main/java/org/apache/wicket/csp/CSPDirective.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java index 1517ef8caa1..6f840ab5ff1 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPDirective.java @@ -158,7 +158,7 @@ public void checkValueForDirective(CSPRenderable value, throw new IllegalArgumentException("Directive " + this + " supports only one value"); } - if (value != CSPDirectiveSrcValue.NONE && value != CSPDirectiveSrcValue.UNSAFE_INLINE) + if (!CSPDirectiveSrcValue.NONE.equals(value) && !CSPDirectiveSrcValue.UNSAFE_INLINE.equals(value)) { throw new IllegalArgumentException("Unsupported directive value: " + value + " for -src-attr directive"); }