[
https://issues.apache.org/jira/browse/WICKET-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381192#comment-17381192
]
Tobias Haupt commented on WICKET-6703:
--------------------------------------
The change made in
https://github.com/apache/wicket/commit/b7f62a6591ea3e98374079555c877ba70ba30286#diff-d78837c7a0946ee5118aea1054d96c774a7d381d16dc5374ea87e7f018c6be94
Caused a problem in our application that was hard to track: We used an
AjaxRequestTarget.IListener that used
the AjaxRequestTarget.prependJavaScript() method in its onAfterRespond
callback. Due to the change of the order of evalutations and listener
invocation in PartialPageUpdate.writeTo the prepended javascript was silently
ignored.
I don't know about all implications of that change of order, but would it be
possible to throw an Exception if somebody want's to add a prependJavaScript
too late when those are already written?
> Eliminate window.eval from wicket-ajax-jquery
> ---------------------------------------------
>
> Key: WICKET-6703
> URL: https://issues.apache.org/jira/browse/WICKET-6703
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Affects Versions: 8.6.1
> Reporter: Andrew Kondratev
> Assignee: Sven Meier
> Priority: Major
> Fix For: 9.0.0-M4
>
>
> It's impossible to configure wicket with strict CSP Policy without
> unsafe-eval and keep using AJAX, because most of AJAX responses contain
> evaluations and header contributions which cause window.eval to be called.
> Window eval can be replaced with DOMEval with nonce approach. DOM eval is
> available in jQuery as globalEval.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
