[
https://issues.apache.org/jira/browse/WICKET-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381332#comment-17381332
]
Tobias Haupt commented on WICKET-6703:
--------------------------------------
[~svenmeier] Created WICKET-6902 for further clarification. The problem is,
that we had to fix our application every single time we updated to a major
wicket version starting with wicket 1.4 because the order of javascripts in the
response had been changed again.
> Eliminate window.eval from wicket-ajax-jquery
> ---------------------------------------------
>
> Key: WICKET-6703
> URL: https://issues.apache.org/jira/browse/WICKET-6703
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Affects Versions: 8.6.1
> Reporter: Andrew Kondratev
> Assignee: Sven Meier
> Priority: Major
> Fix For: 9.0.0-M4
>
>
> It's impossible to configure wicket with strict CSP Policy without
> unsafe-eval and keep using AJAX, because most of AJAX responses contain
> evaluations and header contributions which cause window.eval to be called.
> Window eval can be replaced with DOMEval with nonce approach. DOM eval is
> available in jQuery as globalEval.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
