[
https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709258#comment-17709258
]
ASF GitHub Bot commented on WICKET-7028:
----------------------------------------
solomax commented on code in PR #569:
URL: https://github.com/apache/wicket/pull/569#discussion_r1159399210
##########
wicket-core/src/main/java/org/apache/wicket/coep/CrossOriginEmbedderPolicyRequestCycleListener.java:
##########
@@ -36,15 +36,15 @@
* <code>Cross-Origin-Embedder-Policy</code>. The header is not set for the
paths that are exempted
* from COEP. The only valid value of COEP is <code>require-corp</code>, so if
the listener is
* enabled the policy value will be specified as so.
- *
+ * <p>
Review Comment:
I believe, this one will produce JavaDoc warning :(
> CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
> ----------------------------------------------------------------
>
> Key: WICKET-7028
> URL: https://issues.apache.org/jira/browse/WICKET-7028
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 9.12.0
> Reporter: Youri de Boer
> Priority: Critical
> Fix For: 10.0.0, 9.13.0
>
> Attachments: examplecsp.zip, image-2023-04-05-10-58-33-645.png,
> image-2023-04-05-13-13-46-451.png, image-2023-04-05-13-19-40-207.png,
> image-2023-04-05-13-21-01-849.png, image-2023-04-05-14-35-49-714.png,
> withcsp.png, withoutcsp.png
>
>
> We're busy with a project to replace every page in our application with a
> newer version. We don't want to break existing bookmarks, but we also don't
> want to have untested new pages in production. As a solution, all our new
> pages are only accessible via a feature toggle.
> A simplified version looks like:
> SimplePage.html
> {code}
> <!DOCTYPE html>
> <html xmlns:wicket="http://wicket.apache.org";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title></title>
> </head>
> <body>
> <div wicket:id="label"></div>
> </body>
> </html>
> {code}
> SimplePage.java
> {code}
> public class SimplePage extends WebPage {
> public SimplePage() {
> super();
> }
> }
> {code}
>
> OldPage.java
> {code}
> public class OldPage extends SimplePage {
> public OldPage() {
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "OldPage"));
> }
> }
> {code}
>
> NewPage.java
> {code}
> public class NewPage extends SimplePage {
> public NewPage() {
> if (featureFlagDisabled()) {
> // new page is not ready yet, show users the old page
> throw new RestartResponseException(
> new PageProvider(OldPage.class),
> RedirectPolicy.NEVER_REDIRECT
> );
> }
> }
> private boolean featureFlagDisabled() {
> return true;
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "NewPage"));
> }
> }
> {code}
>
> And in our application class:
> {code}
> mountPage("page1", NewPage.class);
> mountPage("page2", OldPage.class);
> getCspSettings()
> .blocking();
> {code}
> The url 'page1' is known to our users. The url 'page2' is not known to our
> users. Besides ending up with outdated bookmarks, there's no harm if they
> would access it directly.
> Regardless of which url you open, the RestartResponseException ensures the
> reponse in the browser is always 'OldPage'.
> However, the CSP is not included if wicket performs the internal redirect. If
> I open the url 'page2' directly, the result does include a CSP. See attached
> screenshots.
> A workaround for this issue is a client side redirect; but then the users
> would see the url change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
