You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/10/29 14:08:00 UTC

[jira] [Commented] (WICKET-6703) Eliminate window.eval from wicket-ajax-jquery

    [ https://issues.apache.org/jira/browse/WICKET-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16962038#comment-16962038 ] 

ASF subversion and git services commented on WICKET-6703:
---------------------------------------------------------

Commit 4d57ce588600bdd7602a3d96333069cd84033aae in wicket's branch refs/heads/WICKET-6703-replace-eval-with-domEval from Sven Meier
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=4d57ce5 ]

WICKET-6703 priorityHeaderItems are already sorted

in ResourceAggregator

> Eliminate window.eval from wicket-ajax-jquery
> ---------------------------------------------
>
>                 Key: WICKET-6703
>                 URL: https://issues.apache.org/jira/browse/WICKET-6703
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>            Reporter: Andrew Kondratev
>            Assignee: Sven Meier
>            Priority: Major
>
> It's impossible to configure wicket with strict CSP Policy without unsafe-eval and keep using AJAX, because most of AJAX responses contain evaluations and header contributions which cause window.eval to be called. 
> Window eval can be replaced with DOMEval with nonce approach. DOM eval is available in jQuery as globalEval.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)