[jira] [Commented] (WICKET-7107) CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT

Thu, 09 May 2024 05:55:51 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17844975#comment-17844975
 ] 

ASF GitHub Bot commented on WICKET-7107:
----------------------------------------

reiern70 commented on code in PR #846:
URL: https://github.com/apache/wicket/pull/846#discussion_r1595398663


##########
wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java:
##########
@@ -39,14 +40,7 @@ public CSPRequestCycleListener(ContentSecurityPolicySettings 
settings)
        }
 
        @Override
-       public void onRequestHandlerResolved(RequestCycle cycle, 
IRequestHandler handler)
-       {
-               // WICKET-7028- this is needed for redirect to buffer use case.
-               protect(cycle, handler);
-       }
-
-       @Override
-       public void onRequestHandlerExecuted(RequestCycle cycle, 
IRequestHandler handler)
+       public void onUrlMapped(RequestCycle cycle, IRequestHandler handler, 
Url url)

Review Comment:
   I have tried this change with 
   
   https://issues.apache.org/jira/browse/WICKET-7028
   
   sample application and this change seems to be Ok. But to be honest I'm not 
sure this is the way we should go.  See 
   
   https://issues.apache.org/jira/browse/WICKET-7040
   
   
   
   





> CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT
> ---------------------------------------------------------------
>
>                 Key: WICKET-7107
>                 URL: https://issues.apache.org/jira/browse/WICKET-7107
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 9.16.0
>            Reporter: Dirk Forchel
>            Priority: Major
>         Attachments: myproject.zip
>
>
> If we redirect to another Web Page and use the RedirectPolicy.AUTO_REDIRECT, 
> this results in the CSP directives being missing in the head of the result 
> page.
> I've attached a quickstart application to show the error. Just browse to 
> [http://localhost:8080/redirect|http://localhost:8080/redirect.] and use the 
> browser's developer console of your choice. The CSP is not included if Wicket 
> performs a RestartResponseException with a WebPage instance like this
> {code:java}
> throw new RestartResponseException(new HomePage(new PageParameters()));{code}
> If you open the home page directly 
> [http://localhost:8080/|http://localhost:8080/redirect.] the response does 
> include a CSP.
> There is an additional test for the CSPRequestCycleListener with different 
> page classes as test parameters.
> Relates to https://issues.apache.org/jira/browse/WICKET-7028



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to