[
https://issues.apache.org/jira/browse/WICKET-7107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17848897#comment-17848897
]
ASF GitHub Bot commented on WICKET-7107:
----------------------------------------
dr0ps commented on code in PR #846:
URL: https://github.com/apache/wicket/pull/846#discussion_r1611370030
##########
wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java:
##########
@@ -39,14 +40,7 @@ public CSPRequestCycleListener(ContentSecurityPolicySettings
settings)
}
@Override
- public void onRequestHandlerResolved(RequestCycle cycle,
IRequestHandler handler)
- {
- // WICKET-7028- this is needed for redirect to buffer use case.
- protect(cycle, handler);
- }
-
- @Override
- public void onRequestHandlerExecuted(RequestCycle cycle,
IRequestHandler handler)
+ public void onUrlMapped(RequestCycle cycle, IRequestHandler handler,
Url url)
Review Comment:
WICKET-7040 is never going to work, I think. Due to ajax requests,
components can be instantiated long after the original page has been created
and long after the original CSP has been sent to the browser. Additional CPSs
could be delivered to the client as meta tags but weakening the original CSP is
not allowed ( https://www.w3.org/TR/CSP3/#multiple-policies ). Therefore the
strictest possible set of policies has to be known before the page is rendered.
> CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT
> ---------------------------------------------------------------
>
> Key: WICKET-7107
> URL: https://issues.apache.org/jira/browse/WICKET-7107
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 9.16.0
> Reporter: Dirk Forchel
> Priority: Major
> Attachments: myproject.zip
>
>
> If we redirect to another Web Page and use the RedirectPolicy.AUTO_REDIRECT,
> this results in the CSP directives being missing in the head of the result
> page.
> I've attached a quickstart application to show the error. Just browse to
> [http://localhost:8080/redirect|http://localhost:8080/redirect.] and use the
> browser's developer console of your choice. The CSP is not included if Wicket
> performs a RestartResponseException with a WebPage instance like this
> {code:java}
> throw new RestartResponseException(new HomePage(new PageParameters()));{code}
> If you open the home page directly
> [http://localhost:8080/|http://localhost:8080/redirect.] the response does
> include a CSP.
> There is an additional test for the CSPRequestCycleListener with different
> page classes as test parameters.
> Relates to https://issues.apache.org/jira/browse/WICKET-7028
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
