Andrew Kondratev created WICKET-6688:
----------------------------------------
Summary: Add alternative RPC response to substitute the append
java script in ajax response
Key: WICKET-6688
URL: https://issues.apache.org/jira/browse/WICKET-6688
Project: Wicket
Issue Type: Improvement
Reporter: Andrew Kondratev
Some kind of RPC could be added to eliminate 'unsafe-eval' in CSP headers.
The idea is the following, instead of doing
`target.appendJavaScript("doSomething()")` we could do something like this
`target.appendRemoteCall("doSomething", "val1", "val2")`, the JS function could
be rendered by the component/behavior as inline <script> (which can be nonced).
I implemented a proof of concept, using existing wicket ajax java infrastructure
https://github.com/andruhon/WicketFetch/blob/master/src/main/java/org/apache/wicket/fetch/example/HomePage.java
https://github.com/andruhon/WicketFetch/blob/master/src/main/java/org/apache/wicket/fetch/OnChangeFetchAjaxBehavior.java
https://github.com/andruhon/WicketFetch/blob/master/src/main/java/org/apache/wicket/fetch/js/OnChangeFetchAjaxBehavior.js
* OnChangeFetchAjaxBehavior.java renders a function into the header as
<script></script> element;
* OnChangeFetchAjaxBehavior.java on ajax event appends javascript wich simply
contains JSON;
* OnChangeFetchAjaxBehavior.js strips `function(){}` and parses JSON, the
function mentioned is located in registered callbacks array and called with
parameters from the JSON;
I think this approach could be added into existing infrastructure without
creating something entirely new, and this new RPC could be used as a basement
for something completely new.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
