[
https://issues.apache.org/jira/browse/WICKET-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17038627#comment-17038627
]
ASF subversion and git services commented on WICKET-6745:
---------------------------------------------------------
Commit 80c1b59ef6bd910c90cdad07b8f7d9960d5fb3b7 in wicket's branch
refs/heads/master from Emond Papegaaij
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=80c1b59 ]
WICKET-6745: Deprecate (Ajax)ServerAndClientTimeFilter
> CSP: inline JS in server and client time response filters
> ---------------------------------------------------------
>
> Key: WICKET-6745
> URL: https://issues.apache.org/jira/browse/WICKET-6745
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core, wicket-examples
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
> Priority: Major
>
> {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these
> tags are rendered in a non-standard way, the nonce is not added, violating
> the CSP.
> These filters all put status information in {{window.defaultStatus}}. This
> property has been deprecated for years and support has been removed in most
> (if not all) browsers. My suggestion is to deprecate these classes in core
> and remove the one in examples. In the deprecated version, there is no need
> to fix the CSP violation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
