On Wed, Feb 26, 2020 at 10:53 AM Martin Grigorov <mgrigo...@apache.org> wrote:
> I am also not big fan of CSP but users ask for it and I see no other way
> but to move all inline styles in such .css resource
IMHO CSP is one of the changes to the web application ecosystem that
Wicket will need an answer on to stay relevant in the upcoming years.
Web application development is changing at a very rapid pace and
Wicket will need to incorporate those changes or face becoming
obsolete.
> On Tue, Feb 25, 2020 at 10:54 PM Sven Meier <s...@meiers.net> wrote:
> > - it's a kitchen-sink for left-over styles (see .wicket--color-red)
>
> I agree that for this one Wicket can just add the CSS class (e.g.
> wicket-feedback-indicator) on the HTML element and let the application
> provide the CSS rules for it
I'm ok with that. I only added that styling to be compatible with the
old behavior, which was broken in my opinion anyway.
> >
< cut use hidden attribute >
> >
> I don't agree here.
> If each and every developer should make sure that Wicket's placeholder tags
> should stay invisible then the framework does not do its job.
> Often when we see that something is too common we actually add it to the
> framework. Here you ask to do the reverse - remove the support and ask the
> developers to deal with it.
> The article you linked to explains it well that "hidden" attribute does not
> really work. CSS libraries which provide reset rules like div { display:
> block; } will make the life of the developer miserable.
I totally agree with Martin. Using the hidden attribute puts the
responsibility with the developer where this should be on the
framework. The hidden attribute just doesn't work.
> An idea:
> if CSP is disabled then Wicket can deliver the content of wicket-core.css
> as inline CSS, i.e. <style>....</style>.
> This will keep the number of http requests the same as before.
This already is an option now and doesn't depend on CSP being enabled
or not. As long as the style element is rendered with a nonce, it will
work. We can make the header contribution a bit more flexible with the
following options:
* inline wicket-core.css (or another stylesheet)
* resource reference to wicket-core.css (or another stylesheet)
* no core stylesheet at all
Best regards,
Emond
