[
https://issues.apache.org/jira/browse/WICKET-7113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17860881#comment-17860881
]
Emond Papegaaij commented on WICKET-7113:
-----------------------------------------
No, I don't think so. Wicket only renders nonces if any of the CSP
configuration parts requires it to do. This would require enabling Wickets CSP
suppport. I would really suggest looking at using the CSP support provided by
Wicket. It is really powerful, highly configurable and automatically manages
nonces for scripts like this. It also integrates with the Ajax support, to
correctly add the required nonces to scripts and stylesheets sent via Ajax
updates. If you use the Wicket CSP support, you have to make sure all scripts
and stylesheets are rendered via header contributions (like how SubmitLink does
it). This allows Wicket to inject the correct nonce value everywhere.
> Wicket Ajax domReady colliding with existing scripting
> ------------------------------------------------------
>
> Key: WICKET-7113
> URL: https://issues.apache.org/jira/browse/WICKET-7113
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 9.16.0
> Environment: Rhel 8, with Docker, Java 17 OpenJdk Adoptium
> Reporter: John Tal
> Priority: Major
>
> Related to SubmitLinks we now see this javascript being generated on the page
> in Wicket 9:
> <script type="text/javascript">/*<![CDATA[*/Wicket.Event.add(window,
> "domready", function(event) \{ Wicket.Event.add('id6', 'click',
> function(event) { var f =
> document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML
> += '<input type="hidden" name="components/redeemSubmitLink" value="x"
> />';Wicket.Event.fire(f, 'submit');return
> false;;});;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/*]]>*/</script>
>
> However, we have two instances where this is breaking existing code:
> A) In the case of having rolled out own CSP already in Wicket 8, migrating to
> Wicket 9 and turning off CSP for the app through the following:
> *
> {{public}} {{void}} {{init() {}}
> {{ }}{{getCspSettings().blocking().disabled();}}
> {{}}}
> * {{}}
> {{This still results in the above javascript being generated into the page
> and being blocked by our inhouse CSP. We don't want the above javascript
> added to the page at all.}}
> {{}}
> {{B) In the case of using intensive jquery already on pages, with CSP turned
> on in Wicket 9, our existing jquery scripting can't fire because of this code
> is on the page. The custom jquery code is already dealing with Nonce values
> and adding its own event handlers to the components on the page. So this is
> sort of a hybrid CSP approach. But we cannot avoid using this approach with
> jquery/nonce/eventhandlers as it's done in jquery at another company which
> maintains the jquery side and we maintain the wicket side.}}
> {{Again, we don't want the above javascript added to the page at all.}}
> {{{}{}}}For both cases we attempted to use setDefaultFormProcessing(false);
> however that results in no form submission at all.
>
> We probably just don't know what APIs to call to get Wicket to act like we
> need it to.
>
> {{}}
> {{{}{}}}already are using jquery and other scripting
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
