[
https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708468#comment-17708468
]
Sven Meier commented on WICKET-7028:
------------------------------------
[~bitstorm] I've tried to find a solution for this, but wasn't successful:
As I have written above, settings the CSP headers in #onRequestHandlerResolved
is too early, since a ResponseResettingDecorator clears the headers.
I've tried out settings the CSP headers in #onEndRequest, but this is too late
in cases where the response is rendered into a buffer which is then redirected
too.
Maybe I missed something, but I didn't find any good request cycle hook to hook
into. Maybe we need another hook for this (#pageisRendered?), but it's strange
to me that we didn't have a need for that before.
Regretfully I don't have time at the moment to continue my investigations on
this.
> CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
> ----------------------------------------------------------------
>
> Key: WICKET-7028
> URL: https://issues.apache.org/jira/browse/WICKET-7028
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 9.12.0
> Reporter: Youri de Boer
> Priority: Critical
> Fix For: 10.0.0, 9.13.0
>
> Attachments: examplecsp.zip, withcsp.png, withoutcsp.png
>
>
> We're busy with a project to replace every page in our application with a
> newer version. We don't want to break existing bookmarks, but we also don't
> want to have untested new pages in production. As a solution, all our new
> pages are only accessible via a feature toggle.
> A simplified version looks like:
> SimplePage.html
> {code}
> <!DOCTYPE html>
> <html xmlns:wicket="http://wicket.apache.org";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title></title>
> </head>
> <body>
> <div wicket:id="label"></div>
> </body>
> </html>
> {code}
> SimplePage.java
> {code}
> public class SimplePage extends WebPage {
> public SimplePage() {
> super();
> }
> }
> {code}
>
> OldPage.java
> {code}
> public class OldPage extends SimplePage {
> public OldPage() {
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "OldPage"));
> }
> }
> {code}
>
> NewPage.java
> {code}
> public class NewPage extends SimplePage {
> public NewPage() {
> if (featureFlagDisabled()) {
> // new page is not ready yet, show users the old page
> throw new RestartResponseException(
> new PageProvider(OldPage.class),
> RedirectPolicy.NEVER_REDIRECT
> );
> }
> }
> private boolean featureFlagDisabled() {
> return true;
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "NewPage"));
> }
> }
> {code}
>
> And in our application class:
> {code}
> mountPage("page1", NewPage.class);
> mountPage("page2", OldPage.class);
> getCspSettings()
> .blocking();
> {code}
> The url 'page1' is known to our users. The url 'page2' is not known to our
> users. Besides ending up with outdated bookmarks, there's no harm if they
> would access it directly.
> Regardless of which url you open, the RestartResponseException ensures the
> reponse in the browser is always 'OldPage'.
> However, the CSP is not included if wicket performs the internal redirect. If
> I open the url 'page2' directly, the result does include a CSP. See attached
> screenshots.
> A workaround for this issue is a client side redirect; but then the users
> would see the url change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
