You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Emond Papegaaij (Jira)" <ji...@apache.org> on 2020/02/17 21:04:00 UTC

[jira] [Resolved] (WICKET-6745) CSP: inline JS in server and client time response filters

     [ https://issues.apache.org/jira/browse/WICKET-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emond Papegaaij resolved WICKET-6745.
-------------------------------------
    Fix Version/s: 9.0.0-M5
         Assignee: Emond Papegaaij
       Resolution: Fixed

> CSP: inline JS in server and client time response filters
> ---------------------------------------------------------
>
>                 Key: WICKET-6745
>                 URL: https://issues.apache.org/jira/browse/WICKET-6745
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core, wicket-examples
>    Affects Versions: 9.0.0-M4
>            Reporter: Emond Papegaaij
>            Assignee: Emond Papegaaij
>            Priority: Major
>             Fix For: 9.0.0-M5
>
>
> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these tags are rendered in a non-standard way, the nonce is not added, violating the CSP.
> These filters all put status information in {{window.defaultStatus}}. This property has been deprecated for years and support has been removed in most (if not all) browsers. My suggestion is to deprecate these classes in core and remove the one in examples. In the deprecated version, there is no need to fix the CSP violation.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)