You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Andrew Kondratev (Jira)" <ji...@apache.org> on 2019/09/27 01:11:00 UTC

[jira] [Created] (WICKET-6703) Eliminate window.eval from wicket-ajax-jquery

Andrew Kondratev created WICKET-6703:
----------------------------------------

             Summary: Eliminate window.eval from wicket-ajax-jquery
                 Key: WICKET-6703
                 URL: https://issues.apache.org/jira/browse/WICKET-6703
             Project: Wicket
          Issue Type: Improvement
          Components: wicket-core
            Reporter: Andrew Kondratev


It's impossible to configure wicket with strict CSP Policy without unsafe-eval and keep using AJAX, because most of AJAX responses contain evaluations and header contributions which cause window.eval to be called. 

Window eval can be replaced with DOMEval with nonce approach. DOM eval is available in jQuery as globalEval.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)