[
https://issues.apache.org/jira/browse/WICKET-6786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17176217#comment-17176217
]
Emond Papegaaij commented on WICKET-6786:
-----------------------------------------
[~svenmeier] I agree about the name. {{ResourceIsolationRequestCycleListener}}
is better.
About the whitelist. I think it is better to leave it as it is now. The problem
with whitelisting using the Origin header is that it is very unreliable anyway,
so I would recommend not to use it at all. It is part of the class mostly
because that makes it easier to share the code with the old implementation.
Maybe we should mark it deprecated?
> CsrfPreventionRequestCycleListener should support Fetch Metadata Request
> Headers
> --------------------------------------------------------------------------------
>
> Key: WICKET-6786
> URL: https://issues.apache.org/jira/browse/WICKET-6786
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Affects Versions: 9.0.0-M5, 8.8.0
> Reporter: Emond Papegaaij
> Assignee: Emond Papegaaij
> Priority: Major
> Fix For: 9.1.0
>
>
> {{CsrfPreventionRequestCycleListener}} tries to determine the origin of a
> request via interpretation of the origin header and use this to block cross
> origin requests. The origin header however is not very reliable. For example,
> when a user opens a link in a new tab, the header is not sent. Fetch Metadata
> Request Headers (https://w3c.github.io/webappsec-fetch-metadata/) aims to
> solve this via a set of well defined headers. For Wicket, {{sec-fetch-site}}
> is the most important: {{same-origin}} is safe, {{none}} is a user opening a
> link via (for example) a bookmark, {{same-site}} and {{cross-origin}} should
> be blocked.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
