[
https://issues.apache.org/jira/browse/WICKET-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17031908#comment-17031908
]
ASF subversion and git services commented on WICKET-6745:
---------------------------------------------------------
Commit 4ebb8b0acffb9aedd39f501db6fbcd02f81201dc in wicket's branch
refs/heads/csp-examples from Emond Papegaaij
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=4ebb8b0 ]
WICKET-6737: removed obsolete response filter from examples
See WICKET-6745 for more information on similar filters. The filter
in wicket-examples was almost a duplicate of ServerAndClientTimeFilter.
> CSP: inline JS in server and client time response filters
> ---------------------------------------------------------
>
> Key: WICKET-6745
> URL: https://issues.apache.org/jira/browse/WICKET-6745
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core, wicket-examples
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
> Priority: Major
>
> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these
> tags are rendered in a non-standard way, the nonce is not added, violating
> the CSP.
> These filters all put status information in {{window.defaultStatus}}. This
> property has been deprecated for years and support has been removed in most
> (if not all) browsers. My suggestion is to deprecate these classes in core
> and remove the one in examples. In the deprecated version, there is no need
> to fix the CSP violation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
