You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Andrew Kondratev (Jira)" <ji...@apache.org> on 2019/09/27 01:11:00 UTC
[jira] [Created] (WICKET-6703) Eliminate window.eval from
wicket-ajax-jquery
Andrew Kondratev created WICKET-6703:
----------------------------------------
Summary: Eliminate window.eval from wicket-ajax-jquery
Key: WICKET-6703
URL: https://issues.apache.org/jira/browse/WICKET-6703
Project: Wicket
Issue Type: Improvement
Components: wicket-core
Reporter: Andrew Kondratev
It's impossible to configure wicket with strict CSP Policy without unsafe-eval and keep using AJAX, because most of AJAX responses contain evaluations and header contributions which cause window.eval to be called.
Window eval can be replaced with DOMEval with nonce approach. DOM eval is available in jQuery as globalEval.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)