From a362a78ddd800865893eb12966d0090b8943982e Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Thu, 30 Apr 2026 15:40:29 +0530
Subject: [PATCH] Add opt-in CSP embedding and plugin restrictions

---
 .../apache/wicket/csp/CSPHeaderConfiguration.java   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java
index 0e3de214ce4..8159ec282a2 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPHeaderConfiguration.java
@@ -21,8 +21,10 @@
 import static org.apache.wicket.csp.CSPDirective.CONNECT_SRC;
 import static org.apache.wicket.csp.CSPDirective.DEFAULT_SRC;
 import static org.apache.wicket.csp.CSPDirective.FONT_SRC;
+import static org.apache.wicket.csp.CSPDirective.FRAME_ANCESTORS;
 import static org.apache.wicket.csp.CSPDirective.IMG_SRC;
 import static org.apache.wicket.csp.CSPDirective.MANIFEST_SRC;
+import static org.apache.wicket.csp.CSPDirective.OBJECT_SRC;
 import static org.apache.wicket.csp.CSPDirective.REPORT_URI;
 import static org.apache.wicket.csp.CSPDirective.SCRIPT_SRC;
 import static org.apache.wicket.csp.CSPDirective.STYLE_SRC;
@@ -131,6 +133,17 @@ public CSPHeaderConfiguration strict()
 			.add(BASE_URI, SELF);
 	}
 
+	/**
+	 * Hardens the CSP configuration by adding {@code frame-ancestors 'self'} to prevent embedding
+	 * (clickjacking) and {@code object-src 'none'} to disable plugin execution.
+	 *
+	 * @return {@code this} for chaining.
+	 */
+	public CSPHeaderConfiguration enableStrictEmbeddingProtection()
+	{
+		return add(FRAME_ANCESTORS, SELF).add(OBJECT_SRC, NONE);
+	}
+
 	/**
 	 * Configures the CSP to report violations back at the application.
 	 *