[
https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708861#comment-17708861
]
ASF GitHub Bot commented on WICKET-7028:
----------------------------------------
reiern70 commented on PR #569:
URL: https://github.com/apache/wicket/pull/569#issuecomment-1497419624
> Can't check ATM, but don't we have to check for duplicated headers then?
>
Maybe yes... but they do not seem to be duplicated. I do agree thsi solution
"sucks"
> I wonder whether we should go with a completely different solution: Aren't
the headers specific to the page? We could add a behavior to the page (via
Component instantiation/Initialization listener) and thus always add the header
when the page is rendered.
Do you mean...
1. The setting register a compoent instantiation listener
2. The listener adds a behavior to teh page that adds these headers?
This idea could work and it maybe be cleaner that what we have now. Mind
that teh same problem we have for CrossOriginEmbedderPolicyRequestCycleListener
> CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
> ----------------------------------------------------------------
>
> Key: WICKET-7028
> URL: https://issues.apache.org/jira/browse/WICKET-7028
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 9.12.0
> Reporter: Youri de Boer
> Priority: Critical
> Fix For: 10.0.0, 9.13.0
>
> Attachments: examplecsp.zip, image-2023-04-05-10-58-33-645.png,
> image-2023-04-05-13-13-46-451.png, image-2023-04-05-13-19-40-207.png,
> image-2023-04-05-13-21-01-849.png, image-2023-04-05-14-35-49-714.png,
> withcsp.png, withoutcsp.png
>
>
> We're busy with a project to replace every page in our application with a
> newer version. We don't want to break existing bookmarks, but we also don't
> want to have untested new pages in production. As a solution, all our new
> pages are only accessible via a feature toggle.
> A simplified version looks like:
> SimplePage.html
> {code}
> <!DOCTYPE html>
> <html xmlns:wicket="http://wicket.apache.org";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title></title>
> </head>
> <body>
> <div wicket:id="label"></div>
> </body>
> </html>
> {code}
> SimplePage.java
> {code}
> public class SimplePage extends WebPage {
> public SimplePage() {
> super();
> }
> }
> {code}
>
> OldPage.java
> {code}
> public class OldPage extends SimplePage {
> public OldPage() {
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "OldPage"));
> }
> }
> {code}
>
> NewPage.java
> {code}
> public class NewPage extends SimplePage {
> public NewPage() {
> if (featureFlagDisabled()) {
> // new page is not ready yet, show users the old page
> throw new RestartResponseException(
> new PageProvider(OldPage.class),
> RedirectPolicy.NEVER_REDIRECT
> );
> }
> }
> private boolean featureFlagDisabled() {
> return true;
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "NewPage"));
> }
> }
> {code}
>
> And in our application class:
> {code}
> mountPage("page1", NewPage.class);
> mountPage("page2", OldPage.class);
> getCspSettings()
> .blocking();
> {code}
> The url 'page1' is known to our users. The url 'page2' is not known to our
> users. Besides ending up with outdated bookmarks, there's no harm if they
> would access it directly.
> Regardless of which url you open, the RestartResponseException ensures the
> reponse in the browser is always 'OldPage'.
> However, the CSP is not included if wicket performs the internal redirect. If
> I open the url 'page2' directly, the result does include a CSP. See attached
> screenshots.
> A workaround for this issue is a client side redirect; but then the users
> would see the url change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
