You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by pa...@apache.org on 2024/02/26 10:24:04 UTC
(wicket) branch wicket-9.x updated (1f418c276a -> 55d0c48427)
This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a change to branch wicket-9.x
in repository https://gitbox.apache.org/repos/asf/wicket.git
from 1f418c276a Bump junit.version from 5.10.1 to 5.10.2 (#782)
new 18bfd9b301 Fix condition for simple top level navigation
new bec08867c4 Correctly assert the conditions related to top-level navigation
new 55d0c48427 Add test to assert that POST is not simple top-level navigation
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../http/FetchMetadataResourceIsolationPolicy.java | 4 +-
.../ResourceIsolationRequestCycleListenerTest.java | 45 +++++++++++++++++++---
2 files changed, 42 insertions(+), 7 deletions(-)
(wicket) 02/03: Correctly assert the conditions related to top-level navigation
Posted by pa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a commit to branch wicket-9.x
in repository https://gitbox.apache.org/repos/asf/wicket.git
commit bec08867c4330ab994e84cb3b82be65e23e4ad6e
Author: Emond Papegaaij <pa...@apache.org>
AuthorDate: Mon Feb 26 10:30:23 2024 +0100
Correctly assert the conditions related to top-level navigation
---
.../http/FetchMetadataResourceIsolationPolicy.java | 4 +++-
.../ResourceIsolationRequestCycleListenerTest.java | 28 +++++++++++++++++-----
2 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java
index 99def5f6e8..457130cac0 100644
--- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java
@@ -42,10 +42,12 @@ public class FetchMetadataResourceIsolationPolicy implements IResourceIsolationP
public static final String SAME_SITE = "same-site";
public static final String NONE = "none";
public static final String MODE_NAVIGATE = "navigate";
+ public static final String MODE_NO_CORS = "no-cors";
public static final String DEST_OBJECT = "object";
public static final String DEST_EMBED = "embed";
public static final String CROSS_SITE = "cross-site";
public static final String CORS = "cors";
+ public static final String DEST_DOCUMENT = "document";
public static final String DEST_SCRIPT = "script";
public static final String DEST_IMAGE = "image";
@@ -83,7 +85,7 @@ public class FetchMetadataResourceIsolationPolicy implements IResourceIsolationP
String dest = request.getHeader(SEC_FETCH_DEST_HEADER);
boolean isSimpleTopLevelNavigation = MODE_NAVIGATE.equals(mode)
- && "GET".equals(request.getMethod());
+ && "GET".equalsIgnoreCase(request.getMethod());
boolean isNotObjectOrEmbedRequest = !DEST_EMBED.equals(dest) && !DEST_OBJECT.equals(dest);
return isSimpleTopLevelNavigation && isNotObjectOrEmbedRequest;
diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
index 2dce6ee988..b3a9e08e21 100644
--- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
@@ -19,8 +19,9 @@ package org.apache.wicket.protocol.http;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.CROSS_SITE;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.DEST_EMBED;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.DEST_OBJECT;
+import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.DEST_DOCUMENT;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.MODE_NAVIGATE;
-import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_ORIGIN;
+import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.MODE_NO_CORS;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SAME_SITE;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
import static org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
@@ -85,6 +86,19 @@ public class ResourceIsolationRequestCycleListenerTest extends WicketTestCase
assertRequestAborted();
}
+ /**
+ * Tests whether cross site requests are aborted
+ */
+ @Test
+ void destNoCorsGetAborted()
+ {
+ tester.addRequestHeader(SEC_FETCH_SITE_HEADER, CROSS_SITE);
+ tester.addRequestHeader(SEC_FETCH_DEST_HEADER, DEST_DOCUMENT);
+ tester.addRequestHeader(SEC_FETCH_MODE_HEADER, MODE_NO_CORS);
+
+ assertRequestAborted();
+ }
+
/**
* Tests whether object requests (sec-fetch-dest :"object" ) are aborted by FM checks
*/
@@ -103,7 +117,7 @@ public class ResourceIsolationRequestCycleListenerTest extends WicketTestCase
@Test
void topLevelNavigationAllowedFM()
{
- tester.addRequestHeader(SEC_FETCH_SITE_HEADER, SAME_ORIGIN);
+ tester.addRequestHeader(SEC_FETCH_SITE_HEADER, CROSS_SITE);
tester.addRequestHeader(SEC_FETCH_MODE_HEADER, MODE_NAVIGATE);
assertRequestAccepted();
@@ -191,15 +205,17 @@ public class ResourceIsolationRequestCycleListenerTest extends WicketTestCase
private void assertRequestAborted()
{
+ tester.getRequest().setMethod("GET");
tester.clickLink("link");
- assertEquals(tester.getLastResponse().getStatus(),
- javax.servlet.http.HttpServletResponse.SC_FORBIDDEN);
- assertEquals(tester.getLastResponse().getErrorMessage(),
- ResourceIsolationRequestCycleListener.ERROR_MESSAGE);
+ assertEquals(javax.servlet.http.HttpServletResponse.SC_FORBIDDEN,
+ tester.getLastResponse().getStatus());
+ assertEquals(ResourceIsolationRequestCycleListener.ERROR_MESSAGE,
+ tester.getLastResponse().getErrorMessage());
}
private void assertRequestAccepted()
{
+ tester.getRequest().setMethod("GET");
tester.clickLink("link");
tester.assertRenderedPage(SecondPage.class);
}
(wicket) 03/03: Add test to assert that POST is not simple top-level navigation
Posted by pa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a commit to branch wicket-9.x
in repository https://gitbox.apache.org/repos/asf/wicket.git
commit 55d0c48427c797876442defa0e383b0e85902eda
Author: Emond Papegaaij <pa...@apache.org>
AuthorDate: Mon Feb 26 11:10:33 2024 +0100
Add test to assert that POST is not simple top-level navigation
---
.../ResourceIsolationRequestCycleListenerTest.java | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
index b3a9e08e21..f694ab93d8 100644
--- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
@@ -123,6 +123,18 @@ public class ResourceIsolationRequestCycleListenerTest extends WicketTestCase
assertRequestAccepted();
}
+ /**
+ * Tests that a POST is not a simple top-level navigation request and is blocked
+ */
+ @Test
+ void topLevelNavigationPostAborted()
+ {
+ tester.addRequestHeader(SEC_FETCH_SITE_HEADER, CROSS_SITE);
+ tester.addRequestHeader(SEC_FETCH_MODE_HEADER, MODE_NAVIGATE);
+
+ assertRequestAborted("POST");
+ }
+
/**
* Tests that requests rejected by fetch metadata have the Vary header set
*/
@@ -205,7 +217,12 @@ public class ResourceIsolationRequestCycleListenerTest extends WicketTestCase
private void assertRequestAborted()
{
- tester.getRequest().setMethod("GET");
+ assertRequestAborted("GET");
+ }
+
+ private void assertRequestAborted(String requestMethod)
+ {
+ tester.getRequest().setMethod(requestMethod);
tester.clickLink("link");
assertEquals(javax.servlet.http.HttpServletResponse.SC_FORBIDDEN,
tester.getLastResponse().getStatus());
(wicket) 01/03: Fix condition for simple top level navigation
Posted by pa...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a commit to branch wicket-9.x
in repository https://gitbox.apache.org/repos/asf/wicket.git
commit 18bfd9b30146c0f003555c54e88d87c9686ae2f7
Author: Emond Papegaaij <pa...@apache.org>
AuthorDate: Sun Feb 25 21:06:10 2024 +0100
Fix condition for simple top level navigation
---
.../wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java
index 18c54078b4..99def5f6e8 100644
--- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.java
@@ -83,7 +83,7 @@ public class FetchMetadataResourceIsolationPolicy implements IResourceIsolationP
String dest = request.getHeader(SEC_FETCH_DEST_HEADER);
boolean isSimpleTopLevelNavigation = MODE_NAVIGATE.equals(mode)
- || "GET".equals(request.getMethod());
+ && "GET".equals(request.getMethod());
boolean isNotObjectOrEmbedRequest = !DEST_EMBED.equals(dest) && !DEST_OBJECT.equals(dest);
return isSimpleTopLevelNavigation && isNotObjectOrEmbedRequest;