You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Youri de Boer (Jira)" <ji...@apache.org> on 2023/02/16 07:45:00 UTC

[jira] [Created] (WICKET-7028) CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT

Youri de Boer created WICKET-7028:
-------------------------------------

             Summary: CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
                 Key: WICKET-7028
                 URL: https://issues.apache.org/jira/browse/WICKET-7028
             Project: Wicket
          Issue Type: Bug
    Affects Versions: 9.12.0
            Reporter: Youri de Boer
         Attachments: withcsp.png, withoutcsp.png

We're busy with a project to replace every page in our application with a newer version. We don't want to break existing bookmarks, but we also don't want to have untested new pages in production.  As a solution, all our new pages are only accessible via a feature toggle.

A simplified version looks like:

SimplePage.html
{code}
<!DOCTYPE html>
<html xmlns:wicket="http://wicket.apache.org">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title></title>
</head>
<body>
    <div wicket:id="label"></div>
</body>
</html>
{code}

 SimplePage.java
{code}
public class SimplePage extends WebPage {

    public SimplePage() {
        super();
    }
}
{code}
 
OldPage.java
{code}
public class OldPage extends SimplePage {

    public OldPage() {

    }

    @Override
    protected void onInitialize() {
        super.onInitialize();
        add(new Label("label", "OldPage"));
    }
}
{code}
 
NewPage.java
{code}
public class NewPage extends SimplePage {

    public NewPage() {
        if (featureFlagDisabled()) {
            // new page is not ready yet, show users the old page
            throw new RestartResponseException(
                    new PageProvider(OldPage.class),
                    RedirectPolicy.NEVER_REDIRECT
                    );
        }
    }

    private boolean featureFlagDisabled() {
        return true;
    }

    @Override
    protected void onInitialize() {
        super.onInitialize();
        add(new Label("label", "NewPage"));
    }
}
{code}
 
And in our application class:
{code}
        mountPage("page1", NewPage.class);
        mountPage("page2", OldPage.class);
            getCspSettings()
                .blocking();
{code}

The url 'page1' is known to our users. The url 'page2' is not known to our users. Besides ending up with outdated bookmarks, there's no harm if they would access it directly.

Regardless of which url you open, the RestartResponseException ensures the reponse in the browser is always 'OldPage'.

However, the CSP is not included if wicket performs the internal redirect. If I open the url 'page2' directly, the result does include a CSP. See attached screenshots.

A workaround for this issue is a client side redirect; but then the users would see the url change.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)