I wrote a Java WebApp using Tomcat Version 9.0.69 and Wicket 9.12.0 plus Chrome Version 109.0.5414.75 for display, but CSP (Content-Security-Policy) totally messes up the display with a bunch of "Refused to [load the stylesheet/script '' | apply inline style] because it violates the following Content Security Policy directive: ...".
I tried to use HTML metas like "", it failed.
I tried to configure CSP inside Tomcat config, it failed too.
The only way right now I can see my web application properly is by using a Chrome plugin to disable CSP for the display tab.
I would like to fix this issue at the source, where is strict CSP policy defined here, Tomcat, Wicket, or Chrome?
I tried to fix CSP in HTML metas and Tomcat config, no effect. Only disabling CSP in Chrome with a plugin worked to nullify CSP effect.
Some CSP related settings are defined in Wicket. If you use the quickstart Maven archetype then they are in WicketApplication.java
You could disable them by replacing these lines with:
getCspSettings().blocking().disabled();