[
https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709273#comment-17709273
]
ASF GitHub Bot commented on WICKET-7028:
----------------------------------------
reiern70 commented on code in PR #569:
URL: https://github.com/apache/wicket/pull/569#discussion_r1159427006
##########
wicket-core/src/main/java/org/apache/wicket/coep/CrossOriginEmbedderPolicyRequestCycleListener.java:
##########
@@ -36,15 +36,15 @@
* <code>Cross-Origin-Embedder-Policy</code>. The header is not set for the
paths that are exempted
* from COEP. The only valid value of COEP is <code>require-corp</code>, so if
the listener is
* enabled the policy value will be specified as so.
- *
+ * <p>
Review Comment:
> you are right :) no specific warning at this line, sorry for the noise :(
No problem. Everything that makes wicket code better is welcomed :-)
>
> I'm not using IJ, I believe checkstyle and javadoc maven plugins can be
configured to be more strict
Oh! I didn't check the result of those. Just that code build with maven
clean install on terminal in my linux box.
At work we have the same "warnings war" because some people use IJ and other
use eclipse and we use gradle instead of maven and it is very diffcult to get
all the parties agree about what a warning is :-(
> CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
> ----------------------------------------------------------------
>
> Key: WICKET-7028
> URL: https://issues.apache.org/jira/browse/WICKET-7028
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 9.12.0
> Reporter: Youri de Boer
> Assignee: Ernesto Reinaldo Barreiro
> Priority: Critical
> Fix For: 10.0.0, 9.13.0
>
> Attachments: examplecsp.zip, image-2023-04-05-10-58-33-645.png,
> image-2023-04-05-13-13-46-451.png, image-2023-04-05-13-19-40-207.png,
> image-2023-04-05-13-21-01-849.png, image-2023-04-05-14-35-49-714.png,
> withcsp.png, withoutcsp.png
>
>
> We're busy with a project to replace every page in our application with a
> newer version. We don't want to break existing bookmarks, but we also don't
> want to have untested new pages in production. As a solution, all our new
> pages are only accessible via a feature toggle.
> A simplified version looks like:
> SimplePage.html
> {code}
> <!DOCTYPE html>
> <html xmlns:wicket="http://wicket.apache.org";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title></title>
> </head>
> <body>
> <div wicket:id="label"></div>
> </body>
> </html>
> {code}
> SimplePage.java
> {code}
> public class SimplePage extends WebPage {
> public SimplePage() {
> super();
> }
> }
> {code}
>
> OldPage.java
> {code}
> public class OldPage extends SimplePage {
> public OldPage() {
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "OldPage"));
> }
> }
> {code}
>
> NewPage.java
> {code}
> public class NewPage extends SimplePage {
> public NewPage() {
> if (featureFlagDisabled()) {
> // new page is not ready yet, show users the old page
> throw new RestartResponseException(
> new PageProvider(OldPage.class),
> RedirectPolicy.NEVER_REDIRECT
> );
> }
> }
> private boolean featureFlagDisabled() {
> return true;
> }
> @Override
> protected void onInitialize() {
> super.onInitialize();
> add(new Label("label", "NewPage"));
> }
> }
> {code}
>
> And in our application class:
> {code}
> mountPage("page1", NewPage.class);
> mountPage("page2", OldPage.class);
> getCspSettings()
> .blocking();
> {code}
> The url 'page1' is known to our users. The url 'page2' is not known to our
> users. Besides ending up with outdated bookmarks, there's no harm if they
> would access it directly.
> Regardless of which url you open, the RestartResponseException ensures the
> reponse in the browser is always 'OldPage'.
> However, the CSP is not included if wicket performs the internal redirect. If
> I open the url 'page2' directly, the result does include a CSP. See attached
> screenshots.
> A workaround for this issue is a client side redirect; but then the users
> would see the url change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
