You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Andrew Kondratev (JIRA)" <ji...@apache.org> on 2019/07/18 21:52:00 UTC
[jira] [Updated] (WICKET-6688) Add alternative RPC response to
substitute the append java script in ajax response
[ https://issues.apache.org/jira/browse/WICKET-6688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Kondratev updated WICKET-6688:
-------------------------------------
Description:
Some kind of RPC could be added to eliminate 'unsafe-eval' in CSP headers.
The idea is the following, instead of doing `target.appendJavaScript("doSomething()")` we could do something like this `target.appendRemoteCall("doSomething", "val1", "val2")`, the JS function could be rendered by the component/behavior as inline <script> (which can be nonced).
[https://github.com/apache/wicket/pull/378]
was:
Some kind of RPC could be added to eliminate 'unsafe-eval' in CSP headers.
The idea is the following, instead of doing `target.appendJavaScript("doSomething()")` we could do something like this `target.appendRemoteCall("doSomething", "val1", "val2")`, the JS function could be rendered by the component/behavior as inline <script> (which can be nonced).
I implemented a proof of concept, using existing wicket ajax java infrastructure
https://github.com/andruhon/WicketFetch/blob/master/src/main/java/org/apache/wicket/fetch/example/HomePage.java
https://github.com/andruhon/WicketFetch/blob/master/src/main/java/org/apache/wicket/fetch/OnChangeFetchAjaxBehavior.java
https://github.com/andruhon/WicketFetch/blob/master/src/main/java/org/apache/wicket/fetch/js/OnChangeFetchAjaxBehavior.js
* OnChangeFetchAjaxBehavior.java renders a function into the header as <script></script> element;
* OnChangeFetchAjaxBehavior.java on ajax event appends javascript wich simply contains JSON;
* OnChangeFetchAjaxBehavior.js strips `function(){}` and parses JSON, the function mentioned is located in registered callbacks array and called with parameters from the JSON;
I think this approach could be added into existing infrastructure without creating something entirely new, and this new RPC could be used as a basement for something completely new.
> Add alternative RPC response to substitute the append java script in ajax response
> ----------------------------------------------------------------------------------
>
> Key: WICKET-6688
> URL: https://issues.apache.org/jira/browse/WICKET-6688
> Project: Wicket
> Issue Type: Improvement
> Reporter: Andrew Kondratev
> Priority: Major
>
> Some kind of RPC could be added to eliminate 'unsafe-eval' in CSP headers.
> The idea is the following, instead of doing `target.appendJavaScript("doSomething()")` we could do something like this `target.appendRemoteCall("doSomething", "val1", "val2")`, the JS function could be rendered by the component/behavior as inline <script> (which can be nonced).
> [https://github.com/apache/wicket/pull/378]
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)