You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Emond Papegaaij <em...@gmail.com> on 2020/02/04 19:39:09 UTC
Re: [jira] [Created] (WICKET-6745) CSP: inline JS in server and
clienttime response filters
Hi all,
Do you agree on this one? I see no use for these classes anymore, as
support for window.defaultStatus has been dropped by all major
browsers. They also log server time, but we have other and better
solutions for that.
Best regards,
Emond
On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <ji...@apache.org> wrote:
>
> Emond Papegaaij created WICKET-6745:
> ---------------------------------------
>
> Summary: CSP: inline JS in server and clienttime response filters
> Key: WICKET-6745
> URL: https://issues.apache.org/jira/browse/WICKET-6745
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core, wicket-examples
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
>
>
> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these tags are rendered in a non-standard way, the nonce is not added, violating the CSP.
>
> These filters all put status information in {{window.defaultStatus}}. This property has been deprecated for years and support has been removed in most (if not all) browsers. My suggestion is to deprecate these classes in core and remove the one in examples. In the deprecated version, there is no need to fix the CSP violation.
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.3.4#803005)
Re: [jira] [Created] (WICKET-6745) CSP: inline JS in server and
clienttime response filters
Posted by Sven Meier <sv...@meiers.net>.
Hi,
>What about deprecating the current filters and writing a new one that
>just adds the Server-Timing header?
+1 to deprecate the current ones.
Sven
On 04.02.20 21:48, Emond Papegaaij wrote:
> Hi Martin,
>
> I like the idea of the 'Server-Timing' headers. I didn't know this feature yet.
>
> However, these response filters also measure at the client side. The
> time is recorded at the start of the head and again just after body. I
> highly doubt this way of measuring gives a good indication of client
> side performance. Chrome DevTools provides way more details in its
> Performance tab. It's this client side time measurement that's
> problematic. The filters render script tags directly into the
> response, which makes it hard to add the nonce when needed for the
> CSP.
>
> What about deprecating the current filters and writing a new one that
> just adds the Server-Timing header?
>
> Emond
>
> On Tue, Feb 4, 2020 at 9:28 PM Martin Grigorov <mg...@apache.org> wrote:
>> On Tue, Feb 4, 2020 at 9:51 PM Martin Grigorov <mg...@apache.org> wrote:
>>
>>> Hi,
>>>
>>> "window.defaultStatus" could be easily replaced with console.log()
>>>
>>> Those are usually used in DEV mode. I think it is fine to preserve them.
>>>
>>> As a last resort we can render the value as a response header.
>>> I remember Chromium has handling for some special response header and puts
>>> its value in Dev Tools > Performance tab. I don't recall the name of the
>>> header at the moment.
>>>
>> https://ma.ttias.be/server-timings-chrome-devtools/
>>
>>
>>> On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <em...@gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Do you agree on this one? I see no use for these classes anymore, as
>>>> support for window.defaultStatus has been dropped by all major
>>>> browsers. They also log server time, but we have other and better
>>>> solutions for that.
>>>>
>>>> Best regards,
>>>> Emond
>>>>
>>>> On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <ji...@apache.org>
>>>> wrote:
>>>>> Emond Papegaaij created WICKET-6745:
>>>>> ---------------------------------------
>>>>>
>>>>> Summary: CSP: inline JS in server and clienttime response
>>>> filters
>>>>> Key: WICKET-6745
>>>>> URL: https://issues.apache.org/jira/browse/WICKET-6745
>>>>> Project: Wicket
>>>>> Issue Type: Bug
>>>>> Components: wicket-core, wicket-examples
>>>>> Affects Versions: 9.0.0-M4
>>>>> Reporter: Emond Papegaaij
>>>>>
>>>>>
>>>>> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
>>>> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because
>>>> these tags are rendered in a non-standard way, the nonce is not added,
>>>> violating the CSP.
>>>>> These filters all put status information in {{window.defaultStatus}}.
>>>> This property has been deprecated for years and support has been removed in
>>>> most (if not all) browsers. My suggestion is to deprecate these classes in
>>>> core and remove the one in examples. In the deprecated version, there is no
>>>> need to fix the CSP violation.
>>>>>
>>>>>
>>>>> --
>>>>> This message was sent by Atlassian Jira
>>>>> (v8.3.4#803005)
Re: [jira] [Created] (WICKET-6745) CSP: inline JS in server and
clienttime response filters
Posted by Emond Papegaaij <em...@gmail.com>.
Hi Martin,
I like the idea of the 'Server-Timing' headers. I didn't know this feature yet.
However, these response filters also measure at the client side. The
time is recorded at the start of the head and again just after body. I
highly doubt this way of measuring gives a good indication of client
side performance. Chrome DevTools provides way more details in its
Performance tab. It's this client side time measurement that's
problematic. The filters render script tags directly into the
response, which makes it hard to add the nonce when needed for the
CSP.
What about deprecating the current filters and writing a new one that
just adds the Server-Timing header?
Emond
On Tue, Feb 4, 2020 at 9:28 PM Martin Grigorov <mg...@apache.org> wrote:
>
> On Tue, Feb 4, 2020 at 9:51 PM Martin Grigorov <mg...@apache.org> wrote:
>
> > Hi,
> >
> > "window.defaultStatus" could be easily replaced with console.log()
> >
> > Those are usually used in DEV mode. I think it is fine to preserve them.
> >
> > As a last resort we can render the value as a response header.
> > I remember Chromium has handling for some special response header and puts
> > its value in Dev Tools > Performance tab. I don't recall the name of the
> > header at the moment.
> >
>
> https://ma.ttias.be/server-timings-chrome-devtools/
>
>
> >
> > On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <em...@gmail.com>
> > wrote:
> >
> >> Hi all,
> >>
> >> Do you agree on this one? I see no use for these classes anymore, as
> >> support for window.defaultStatus has been dropped by all major
> >> browsers. They also log server time, but we have other and better
> >> solutions for that.
> >>
> >> Best regards,
> >> Emond
> >>
> >> On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <ji...@apache.org>
> >> wrote:
> >> >
> >> > Emond Papegaaij created WICKET-6745:
> >> > ---------------------------------------
> >> >
> >> > Summary: CSP: inline JS in server and clienttime response
> >> filters
> >> > Key: WICKET-6745
> >> > URL: https://issues.apache.org/jira/browse/WICKET-6745
> >> > Project: Wicket
> >> > Issue Type: Bug
> >> > Components: wicket-core, wicket-examples
> >> > Affects Versions: 9.0.0-M4
> >> > Reporter: Emond Papegaaij
> >> >
> >> >
> >> > {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
> >> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because
> >> these tags are rendered in a non-standard way, the nonce is not added,
> >> violating the CSP.
> >> >
> >> > These filters all put status information in {{window.defaultStatus}}.
> >> This property has been deprecated for years and support has been removed in
> >> most (if not all) browsers. My suggestion is to deprecate these classes in
> >> core and remove the one in examples. In the deprecated version, there is no
> >> need to fix the CSP violation.
> >> >
> >> >
> >> >
> >> > --
> >> > This message was sent by Atlassian Jira
> >> > (v8.3.4#803005)
> >>
> >
Re: [jira] [Created] (WICKET-6745) CSP: inline JS in server and
clienttime response filters
Posted by Martin Grigorov <mg...@apache.org>.
On Tue, Feb 4, 2020 at 9:51 PM Martin Grigorov <mg...@apache.org> wrote:
> Hi,
>
> "window.defaultStatus" could be easily replaced with console.log()
>
> Those are usually used in DEV mode. I think it is fine to preserve them.
>
> As a last resort we can render the value as a response header.
> I remember Chromium has handling for some special response header and puts
> its value in Dev Tools > Performance tab. I don't recall the name of the
> header at the moment.
>
https://ma.ttias.be/server-timings-chrome-devtools/
>
> On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <em...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> Do you agree on this one? I see no use for these classes anymore, as
>> support for window.defaultStatus has been dropped by all major
>> browsers. They also log server time, but we have other and better
>> solutions for that.
>>
>> Best regards,
>> Emond
>>
>> On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <ji...@apache.org>
>> wrote:
>> >
>> > Emond Papegaaij created WICKET-6745:
>> > ---------------------------------------
>> >
>> > Summary: CSP: inline JS in server and clienttime response
>> filters
>> > Key: WICKET-6745
>> > URL: https://issues.apache.org/jira/browse/WICKET-6745
>> > Project: Wicket
>> > Issue Type: Bug
>> > Components: wicket-core, wicket-examples
>> > Affects Versions: 9.0.0-M4
>> > Reporter: Emond Papegaaij
>> >
>> >
>> > {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
>> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because
>> these tags are rendered in a non-standard way, the nonce is not added,
>> violating the CSP.
>> >
>> > These filters all put status information in {{window.defaultStatus}}.
>> This property has been deprecated for years and support has been removed in
>> most (if not all) browsers. My suggestion is to deprecate these classes in
>> core and remove the one in examples. In the deprecated version, there is no
>> need to fix the CSP violation.
>> >
>> >
>> >
>> > --
>> > This message was sent by Atlassian Jira
>> > (v8.3.4#803005)
>>
>
Re: [jira] [Created] (WICKET-6745) CSP: inline JS in server and
clienttime response filters
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
"window.defaultStatus" could be easily replaced with console.log()
Those are usually used in DEV mode. I think it is fine to preserve them.
As a last resort we can render the value as a response header.
I remember Chromium has handling for some special response header and puts
its value in Dev Tools > Performance tab. I don't recall the name of the
header at the moment.
On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <em...@gmail.com>
wrote:
> Hi all,
>
> Do you agree on this one? I see no use for these classes anymore, as
> support for window.defaultStatus has been dropped by all major
> browsers. They also log server time, but we have other and better
> solutions for that.
>
> Best regards,
> Emond
>
> On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <ji...@apache.org>
> wrote:
> >
> > Emond Papegaaij created WICKET-6745:
> > ---------------------------------------
> >
> > Summary: CSP: inline JS in server and clienttime response
> filters
> > Key: WICKET-6745
> > URL: https://issues.apache.org/jira/browse/WICKET-6745
> > Project: Wicket
> > Issue Type: Bug
> > Components: wicket-core, wicket-examples
> > Affects Versions: 9.0.0-M4
> > Reporter: Emond Papegaaij
> >
> >
> > {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because
> these tags are rendered in a non-standard way, the nonce is not added,
> violating the CSP.
> >
> > These filters all put status information in {{window.defaultStatus}}.
> This property has been deprecated for years and support has been removed in
> most (if not all) browsers. My suggestion is to deprecate these classes in
> core and remove the one in examples. In the deprecated version, there is no
> need to fix the CSP violation.
> >
> >
> >
> > --
> > This message was sent by Atlassian Jira
> > (v8.3.4#803005)
>