You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/02/05 20:09:00 UTC
[jira] [Commented] (WICKET-6745) CSP: inline JS in server and
client time response filters
[ https://issues.apache.org/jira/browse/WICKET-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17030989#comment-17030989 ]
ASF subversion and git services commented on WICKET-6745:
---------------------------------------------------------
Commit 1f554faedb3543a47c1beff4de6e059345aa7680 in wicket's branch refs/heads/csp from Emond Papegaaij
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=1f554fa ]
WICKET-6737: removed obsolete response filter from examples
See WICKET-6745 for more information on similar filters. The filter
in wicket-examples was almost a duplicate of ServerAndClientTimeFilter.
> CSP: inline JS in server and client time response filters
> ---------------------------------------------------------
>
> Key: WICKET-6745
> URL: https://issues.apache.org/jira/browse/WICKET-6745
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core, wicket-examples
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
> Priority: Major
>
> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these tags are rendered in a non-standard way, the nonce is not added, violating the CSP.
> These filters all put status information in {{window.defaultStatus}}. This property has been deprecated for years and support has been removed in most (if not all) browsers. My suggestion is to deprecate these classes in core and remove the one in examples. In the deprecated version, there is no need to fix the CSP violation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)