Package org.apache.wicket.csp

Class ContentSecurityPolicySettings

java.lang.Object

org.apache.wicket.csp.ContentSecurityPolicySettings

public class ContentSecurityPolicySettings
extends Object

Build the CSP configuration like this:

 
  myApplication.getCspSettings().blocking().clear()
      .add(CSPDirective.DEFAULT_SRC, CSPDirectiveSrcValue.NONE)
      .add(CSPDirective.SCRIPT_SRC, CSPDirectiveSrcValue.SELF)
      .add(CSPDirective.IMG_SRC, CSPDirectiveSrcValue.SELF)
      .add(CSPDirective.FONT_SRC, CSPDirectiveSrcValue.SELF));

  myApplication.getCspSettings().reporting().strict();
 	
 

See CSPHeaderConfiguration for more details on specifying the configuration.

Author:

Sven Haster, Emond Papegaaij

See Also:

• https://www.w3.org/TR/CSP2
• https://developer.mozilla.org/en-US/docs/Web/Security/CSP

Field Summary

Fields

Modifier and Type	Field	Description
static final MetaDataKey<String>	NONCE_KEY

Constructor Summary

Constructors

Constructor	Description
ContentSecurityPolicySettings(Application application)

Method Summary

Modifier and Type	Method	Description
CSPHeaderConfiguration	blocking()
protected String	createNonce()	Create a new nonce.
void	enforce(WebApplication application)	Enforce CSP settings on an application.
Map<CSPHeaderMode,CSPHeaderConfiguration>	getConfiguration()	Returns the CSP configuration per CSPHeaderMode.
String	getNonce(RequestCycle cycle)
boolean	isEnabled()	Is CSP enabled.
final boolean	isNonceEnabled()	Returns true if any of the headers includes a directive with a nonce.
protected boolean	mustProtectRequest(IRequestHandler handler)	Should any request be protected by CSP.
CSPHeaderConfiguration	reporting()
ContentSecurityPolicySettings	setNonceCreator(Supplier<String> nonceCreator)	Sets the creator of nonces.
ContentSecurityPolicySettings	setProtectedFilter(Predicate<IRequestHandler> protectedFilter)	Sets the predicate that determines which requests must be protected by the CSP.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

NONCE_KEY

public static final MetaDataKey<String> NONCE_KEY

Constructor Details

ContentSecurityPolicySettings

public ContentSecurityPolicySettings(Application application)

Method Details

blocking

public CSPHeaderConfiguration blocking()

reporting

public CSPHeaderConfiguration reporting()

setNonceCreator

public ContentSecurityPolicySettings setNonceCreator(Supplier<String> nonceCreator)

Sets the creator of nonces.

Parameters:

nonceCreator - The new creator, must not be null.

Returns:

this for chaining.

setProtectedFilter

public ContentSecurityPolicySettings setProtectedFilter(Predicate<IRequestHandler> protectedFilter)

Sets the predicate that determines which requests must be protected by the CSP. When the predicate evaluates to false, the request will not be protected.

Parameters:

protectedFilter - The new filter, must not be null.

Returns:

this for chaining.

mustProtectRequest

protected boolean mustProtectRequest(IRequestHandler handler)

Should any request be protected by CSP.

Parameters:

handler -

Returns:

true by default for all RenderPageRequestHandlers

See Also:

• setProtectedFilter(Predicate)

isNonceEnabled

public final boolean isNonceEnabled()

Returns true if any of the headers includes a directive with a nonce.

Returns:

If a nonce is used in the CSP.

getNonce

public String getNonce(RequestCycle cycle)

createNonce

protected String createNonce()

Create a new nonce.

Returns:

nonce

See Also:

• setNonceCreator(Supplier)

getConfiguration

public Map<CSPHeaderMode,CSPHeaderConfiguration> getConfiguration()

Returns the CSP configuration per CSPHeaderMode.

Returns:

the CSP configuration per CSPHeaderMode.

enforce

public void enforce(WebApplication application)

Enforce CSP settings on an application.

Parameters:

application - application

isEnabled

public boolean isEnabled()

Is CSP enabled.