You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Tobias Haupt (Jira)" <ji...@apache.org> on 2021/07/15 09:07:00 UTC
[jira] [Commented] (WICKET-6703) Eliminate window.eval from
wicket-ajax-jquery
[ https://issues.apache.org/jira/browse/WICKET-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381192#comment-17381192 ]
Tobias Haupt commented on WICKET-6703:
--------------------------------------
The change made in
https://github.com/apache/wicket/commit/b7f62a6591ea3e98374079555c877ba70ba30286#diff-d78837c7a0946ee5118aea1054d96c774a7d381d16dc5374ea87e7f018c6be94
Caused a problem in our application that was hard to track: We used an AjaxRequestTarget.IListener that used
the AjaxRequestTarget.prependJavaScript() method in its onAfterRespond callback. Due to the change of the order of evalutations and listener invocation in PartialPageUpdate.writeTo the prepended javascript was silently ignored.
I don't know about all implications of that change of order, but would it be possible to throw an Exception if somebody want's to add a prependJavaScript too late when those are already written?
> Eliminate window.eval from wicket-ajax-jquery
> ---------------------------------------------
>
> Key: WICKET-6703
> URL: https://issues.apache.org/jira/browse/WICKET-6703
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Affects Versions: 8.6.1
> Reporter: Andrew Kondratev
> Assignee: Sven Meier
> Priority: Major
> Fix For: 9.0.0-M4
>
>
> It's impossible to configure wicket with strict CSP Policy without unsafe-eval and keep using AJAX, because most of AJAX responses contain evaluations and header contributions which cause window.eval to be called.
> Window eval can be replaced with DOMEval with nonce approach. DOM eval is available in jQuery as globalEval.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)