This is an automated email from the ASF dual-hosted git repository.
reiern70 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push:
new f2719ba321 [WICKET-7028] do CSP related header generation both at
onRequestHandlerResolved and onRequestHandlerExecuted. The same is applied for
CrossOriginEmbedderPolicyRequestCycleListener and
CrossOriginOpenerPolicyRequestCycleListener
f2719ba321 is described below
commit f2719ba321ff308852279deeb5396c915e4de3a5
Author: reiern70 <[email protected]>
AuthorDate: Wed Apr 5 14:48:09 2023 +0300
[WICKET-7028] do CSP related header generation both at
onRequestHandlerResolved and onRequestHandlerExecuted. The same is applied for
CrossOriginEmbedderPolicyRequestCycleListener and
CrossOriginOpenerPolicyRequestCycleListener
---
...ssOriginEmbedderPolicyRequestCycleListener.java | 19 +++++++++++--
...rossOriginOpenerPolicyRequestCycleListener.java | 19 +++++++++++--
.../apache/wicket/csp/CSPRequestCycleListener.java | 32 +++++++++++++++-------
3 files changed, 54 insertions(+), 16 deletions(-)
diff --git
a/wicket-core/src/main/java/org/apache/wicket/coep/CrossOriginEmbedderPolicyRequestCycleListener.java
b/wicket-core/src/main/java/org/apache/wicket/coep/CrossOriginEmbedderPolicyRequestCycleListener.java
index e2f47f8152..d207787961 100644
---
a/wicket-core/src/main/java/org/apache/wicket/coep/CrossOriginEmbedderPolicyRequestCycleListener.java
+++
b/wicket-core/src/main/java/org/apache/wicket/coep/CrossOriginEmbedderPolicyRequestCycleListener.java
@@ -36,7 +36,7 @@ import jakarta.servlet.http.HttpServletRequest;
* <code>Cross-Origin-Embedder-Policy</code>. The header is not set for the
paths that are exempted
* from COEP. The only valid value of COEP is <code>require-corp</code>, so if
the listener is
* enabled the policy value will be specified as so.
- *
+ * <p>
* COEP prevents a document from loading any non-same-origin resources which
don't explicitly grant
* the document permission to be loaded. Using COEP and COOP together allows
developers to safely
* use powerful features such as <code>SharedArrayBuffer</code>,
@@ -44,7 +44,7 @@ import jakarta.servlet.http.HttpServletRequest;
* {@link CrossOriginOpenerPolicyRequestCycleListener} for instructions on how
to enable COOP.
* Read more about cross-origin isolation on
* <a href="https://web.dev/why-coop-coep/";>https://web.dev/why-coop-coep/</a>
- *
+ * <p>
*
* @author Santiago Diaz - [email protected]
* @author Ecenaz Jen Ozmen - [email protected]
@@ -58,7 +58,7 @@ public class CrossOriginEmbedderPolicyRequestCycleListener
implements IRequestCy
static final String REQUIRE_CORP = "require-corp";
- private CrossOriginEmbedderPolicyConfiguration coepConfig;
+ private final CrossOriginEmbedderPolicyConfiguration coepConfig;
public
CrossOriginEmbedderPolicyRequestCycleListener(CrossOriginEmbedderPolicyConfiguration
coepConfig)
{
@@ -67,6 +67,18 @@ public class CrossOriginEmbedderPolicyRequestCycleListener
implements IRequestCy
@Override
public void onRequestHandlerResolved(RequestCycle cycle,
IRequestHandler handler)
+ {
+ // WICKET-7028- this is needed for redirect to buffer use case.
+ protect(cycle, handler);
+ }
+
+ @Override
+ public void onRequestHandlerExecuted(RequestCycle cycle,
IRequestHandler handler)
+ {
+ protect(cycle, handler);
+ }
+
+ protected void protect(RequestCycle cycle, IRequestHandler handler)
{
final Object containerRequest =
cycle.getRequest().getContainerRequest();
if (containerRequest instanceof HttpServletRequest)
@@ -91,4 +103,5 @@ public class CrossOriginEmbedderPolicyRequestCycleListener
implements IRequestCy
}
}
}
+
}
diff --git
a/wicket-core/src/main/java/org/apache/wicket/coop/CrossOriginOpenerPolicyRequestCycleListener.java
b/wicket-core/src/main/java/org/apache/wicket/coop/CrossOriginOpenerPolicyRequestCycleListener.java
index afbc569efe..4842360b98 100644
---
a/wicket-core/src/main/java/org/apache/wicket/coop/CrossOriginOpenerPolicyRequestCycleListener.java
+++
b/wicket-core/src/main/java/org/apache/wicket/coop/CrossOriginOpenerPolicyRequestCycleListener.java
@@ -31,7 +31,7 @@ import jakarta.servlet.http.HttpServletRequest;
* Sets <a href="https://github.com/whatwg/html/pull/5334/files";>Cross-Origin
Opener Policy</a>
* headers on the responses based on the policy specified by {@link
CrossOriginOpenerPolicyConfiguration}. The header
* is not set for the paths that are exempted from COOP.
- *
+ * <p>
* COOP is a mitigation against cross-origin information leaks and is used to
make websites
* cross-origin isolated. Setting the COOP header allows you to ensure that a
top-level window is
* isolated from other documents by putting them in a different browsing
context group, so they
@@ -41,7 +41,7 @@ import jakarta.servlet.http.HttpServletRequest;
* {@link CrossOriginEmbedderPolicyRequestCycleListener} for instructions * on
how to enable COOP.
* Read more about cross-origin isolation on
* <a href="https://web.dev/why-coop-coep/";>https://web.dev/why-coop-coep/</a>
- *
+ * <p>
*
* @author Santiago Diaz - [email protected]
* @author Ecenaz Jen Ozmen - [email protected]
@@ -55,7 +55,7 @@ public class CrossOriginOpenerPolicyRequestCycleListener
implements IRequestCycl
static final String COOP_HEADER = "Cross-Origin-Opener-Policy";
- private CrossOriginOpenerPolicyConfiguration coopConfig;
+ private final CrossOriginOpenerPolicyConfiguration coopConfig;
public
CrossOriginOpenerPolicyRequestCycleListener(CrossOriginOpenerPolicyConfiguration
coopConfig)
{
@@ -64,6 +64,19 @@ public class CrossOriginOpenerPolicyRequestCycleListener
implements IRequestCycl
@Override
public void onRequestHandlerResolved(RequestCycle cycle,
IRequestHandler handler)
+ {
+ // WICKET-7028- this is needed for redirect to buffer use case.
+ protect(cycle, handler);
+ }
+
+ @Override
+ public void onRequestHandlerExecuted(RequestCycle cycle,
IRequestHandler handler)
+ {
+ protect(cycle, handler);
+ }
+
+
+ protected void protect(RequestCycle cycle, IRequestHandler handler)
{
final Object containerRequest =
cycle.getRequest().getContainerRequest();
if (containerRequest instanceof HttpServletRequest)
diff --git
a/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
index cfd83f3137..a64469ded3 100644
---
a/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
+++
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
@@ -38,8 +38,20 @@ public class CSPRequestCycleListener implements
IRequestCycleListener
this.settings = settings;
}
+ @Override
+ public void onRequestHandlerResolved(RequestCycle cycle,
IRequestHandler handler)
+ {
+ // WICKET-7028- this is needed for redirect to buffer use case.
+ protect(cycle, handler);
+ }
+
@Override
public void onRequestHandlerExecuted(RequestCycle cycle,
IRequestHandler handler)
+ {
+ protect(cycle, handler);
+ }
+
+ protected void protect(RequestCycle cycle, IRequestHandler handler)
{
if (!mustProtect(handler) || !(cycle.getResponse() instanceof
WebResponse))
{
@@ -53,16 +65,16 @@ public class CSPRequestCycleListener implements
IRequestCycleListener
}
settings.getConfiguration().entrySet().stream().filter(entry ->
entry.getValue().isSet())
- .forEach(entry -> {
- CSPHeaderMode mode = entry.getKey();
- CSPHeaderConfiguration config =
entry.getValue();
- String headerValue =
config.renderHeaderValue(settings, cycle);
- webResponse.setHeader(mode.getHeader(),
headerValue);
- if (config.isAddLegacyHeaders())
- {
-
webResponse.setHeader(mode.getLegacyHeader(), headerValue);
- }
- });
+ .forEach(entry -> {
+ CSPHeaderMode mode = entry.getKey();
+ CSPHeaderConfiguration config =
entry.getValue();
+ String headerValue =
config.renderHeaderValue(settings, cycle);
+ webResponse.setHeader(mode.getHeader(),
headerValue);
+ if (config.isAddLegacyHeaders())
+ {
+
webResponse.setHeader(mode.getLegacyHeader(), headerValue);
+ }
+ });
}
/**
