dr0ps commented on code in PR #846:
URL: https://github.com/apache/wicket/pull/846#discussion_r1611370030
##########
wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java:
##########
@@ -39,14 +40,7 @@ public CSPRequestCycleListener(ContentSecurityPolicySettings
settings)
}
@Override
- public void onRequestHandlerResolved(RequestCycle cycle,
IRequestHandler handler)
- {
- // WICKET-7028- this is needed for redirect to buffer use case.
- protect(cycle, handler);
- }
-
- @Override
- public void onRequestHandlerExecuted(RequestCycle cycle,
IRequestHandler handler)
+ public void onUrlMapped(RequestCycle cycle, IRequestHandler handler,
Url url)
Review Comment:
WICKET-7040 is never going to work, I think. Due to ajax requests,
components can be instantiated long after the original page has been created
and long after the original CSP has been sent to the browser. Additional CPSs
could be delivered to the client as meta tags but weakening the original CSP is
not allowed ( https://www.w3.org/TR/CSP3/#multiple-policies ). Therefore the
strictest possible set of policies has to be known before the page is rendered.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
