[
https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709219#comment-17709219
]
ASF GitHub Bot commented on WICKET-7028:
----------------------------------------
reiern70 commented on PR #569:
URL: https://github.com/apache/wicket/pull/569#issuecomment-1498557849
> Not beautiful, but it seems to work.
>
> Maybe let #onRequestHandlerResolved() and #onRequestHandlerExecuted() both
delegate to a private method #protect() ... the way the one calls the other now
I find confusing.
This sounds like a goog idea. I will do and push those changes and merge.
After that I can try to explore the other idea you proposed (that seems less
fragile that doing it this way). Wondering if we should also add some tests
covering actual generation of headers for these corrner cases.
> CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
> ----------------------------------------------------------------
>
> Key: WICKET-7028
> URL: https://issues.apache.org/jira/browse/WICKET-7028
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 9.12.0
> Reporter: Youri de Boer
> Priority: Critical
> Fix For: 10.0.0, 9.13.0
>
> Attachments: examplecsp.zip, image-2023-04-05-10-58-33-645.png,
> image-2023-04-05-13-13-46-451.png, image-2023-04-05-13-19-40-207.png,
> image-2023-04-05-13-21-01-849.png, image-2023-04-05-14-35-49-714.png,
> withcsp.png, withoutcsp.png
>
>
> We're busy with a project to replace every page in our application with a
> newer version. We don't want to break existing bookmarks, but we also don't
> want to have untested new pages in production. As a solution, all our new
> pages are only accessible via a feature toggle.
> A simplified version looks like:
> SimplePage.html
> {code}
> <!DOCTYPE html>
> <html xmlns:wicket="http://wicket.apache.org";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title></title>
> </head>
> <body>
> <div wicket:id="label"></div>
> </body>
> </html>
> {code}
> SimplePage.java
> {code}
> public class SimplePage extends WebPage {
> public SimplePage() {
> super();
> }
> }
> {code}
>
> OldPage.java
> {code}
> public class OldPage extends SimplePage {
> public OldPage() {
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "OldPage"));
> }
> }
> {code}
>
> NewPage.java
> {code}
> public class NewPage extends SimplePage {
> public NewPage() {
> if (featureFlagDisabled()) {
> // new page is not ready yet, show users the old page
> throw new RestartResponseException(
> new PageProvider(OldPage.class),
> RedirectPolicy.NEVER_REDIRECT
> );
> }
> }
> private boolean featureFlagDisabled() {
> return true;
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "NewPage"));
> }
> }
> {code}
>
> And in our application class:
> {code}
> mountPage("page1", NewPage.class);
> mountPage("page2", OldPage.class);
> getCspSettings()
> .blocking();
> {code}
> The url 'page1' is known to our users. The url 'page2' is not known to our
> users. Besides ending up with outdated bookmarks, there's no harm if they
> would access it directly.
> Regardless of which url you open, the RestartResponseException ensures the
> reponse in the browser is always 'OldPage'.
> However, the CSP is not included if wicket performs the internal redirect. If
> I open the url 'page2' directly, the result does include a CSP. See attached
> screenshots.
> A workaround for this issue is a client side redirect; but then the users
> would see the url change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
