You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by pa...@apache.org on 2020/01/17 21:23:58 UTC

[wicket] branch csp updated: WICKET-6727: ContentSecurityPolicyEnforcer must not protect non-webresponses

This is an automated email from the ASF dual-hosted git repository.

papegaaij pushed a commit to branch csp
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/csp by this push:
     new 18a1e6b  WICKET-6727: ContentSecurityPolicyEnforcer must not protect non-webresponses
18a1e6b is described below

commit 18a1e6b7b62015ebd38e16dd9ea51754b1e61e39
Author: Emond Papegaaij <em...@topicus.nl>
AuthorDate: Fri Jan 17 22:23:42 2020 +0100

    WICKET-6727: ContentSecurityPolicyEnforcer must not protect non-webresponses
---
 .../main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java
index 4d2677c..5fb65e7 100644
--- a/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java
+++ b/wicket-core/src/main/java/org/apache/wicket/csp/ContentSecurityPolicyEnforcer.java
@@ -130,7 +130,7 @@ public class ContentSecurityPolicyEnforcer implements IRequestCycleListener
 	@Override
 	public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
 	{
-		if (!mustProtect(handler))
+		if (!mustProtect(handler) || !(cycle.getResponse() instanceof WebResponse))
 			return;
 		
 		WebResponse webResponse = (WebResponse) cycle.getResponse();