You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Emond Papegaaij (Jira)" <ji...@apache.org> on 2020/02/04 19:37:00 UTC
[jira] [Updated] (WICKET-6745) CSP: inline JS in server and client
time response filters
[ https://issues.apache.org/jira/browse/WICKET-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emond Papegaaij updated WICKET-6745:
------------------------------------
Summary: CSP: inline JS in server and client time response filters (was: CSP: inline JS in server and clienttime response filters)
> CSP: inline JS in server and client time response filters
> ---------------------------------------------------------
>
> Key: WICKET-6745
> URL: https://issues.apache.org/jira/browse/WICKET-6745
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core, wicket-examples
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
> Priority: Major
>
> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these tags are rendered in a non-standard way, the nonce is not added, violating the CSP.
> These filters all put status information in {{window.defaultStatus}}. This property has been deprecated for years and support has been removed in most (if not all) browsers. My suggestion is to deprecate these classes in core and remove the one in examples. In the deprecated version, there is no need to fix the CSP violation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)