juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: Generate script and style elements
Date Mon, 08 Mar 2021 16:53:20 GMT
On Mon, Mar 8, 2021 at 9:22 AM James Bognar <jamesbognar@gmail.com> wrote:
>
> LGTM.  Do you want me to merge it immediately or wait?

Well, there is no backing implementation, so it might be misleading to
commit this now.

>
> How in general do you see this working?

By default, nothing changes. See below.

> Will users have to calculate
> a hash themselves and add it to the annotation?

No: I expect to update Juneau's HTML generation to generate nonces and hashes.

> Will we have to
> return special headers on REST responses for these?

Yes, that's the idea, the new attributes in the script and style HTML
elements MUST match the HTTP Content Security Policy (CSP) header(s).

For the curious reader, I Javadoc'd a links to CSP details to redirect
the reader to the appropriate specifications.

Gary

>
> On Mon, Mar 8, 2021 at 8:07 AM Gary Gregory <garydgregory@gmail.com> wrote:
> >
> > Hi James and all,
> >
> > Please advise on https://github.com/apache/juneau/pull/57
> >
> > Gary
> >
> >
> > On Sat, Mar 6, 2021, 10:07 James Bognar <jamesbognar@gmail.com> wrote:
> >>
> >> Absolutely.  I'm not familiar with those tags but it sounds like a
> >> pretty simple addition.
> >>
> >> I've also noticed a warning when delivering changes to master.  The
> >> link returns a 404 for me.  Maybe this is what it's complaining about.
> >>
> >> remote:
> >> remote: GitHub found 1 vulnerability on apache/juneau's default branch
> >> (1 low). To find out more, visit:
> >> remote:      https://github.com/apache/juneau/security/dependabot/pom.xml/junit:junit/open
> >>
> >> On Fri, Mar 5, 2021 at 2:30 PM Gary Gregory <garydgregory@gmail.com> wrote:
> >> >
> >> > Hi All,
> >> >
> >> > Due to some dynamic analysis tooling we are running on our product, pages
generated by Juneau from Rest annotations on a Serlvet are flagged as insecure because the
HTML contains script and style elements that are not using a nonce or a hash attribute.
> >> >
> >> > Is there any interest here in support of this?
> >> >
> >> > If so, I might be able to provide a PR, not 100% sure, since I've only
looked at the source enough to see where the script tag is written.
> >> >
> >> > Thank you,
> >> > Gary

Mime
View raw message