[jira] [Commented] (WICKET-7107) CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT

Wed, 23 Oct 2024 16:26:25 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892318#comment-17892318
 ] 

Pedro Henrique Oliveira dos Santos commented on WICKET-7107:
------------------------------------------------------------

Hi, taking a look at the ticket's project, I could fix the problem just by 
configuring the ContentSecurityPolicySettings to extend its protection to 
buffered pages:

[https://github.com/pedrosans/wicket/commit/b0e84738c454d29c4867b8f184c4b2a678fcdb99]

I'm not sure what is the best way to fix this issue given the options:
 * to add a Component instantiation/Initialization listener, since the csp http 
headers are indeed just for pages
 * to improve on the current implementation using the CSPRequestCycleListener

 

> CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT
> ---------------------------------------------------------------
>
>                 Key: WICKET-7107
>                 URL: https://issues.apache.org/jira/browse/WICKET-7107
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 9.16.0
>            Reporter: Dirk Forchel
>            Priority: Major
>         Attachments: myproject.zip
>
>
> If we redirect to another Web Page and use the RedirectPolicy.AUTO_REDIRECT, 
> this results in the CSP directives being missing in the head of the result 
> page.
> I've attached a quickstart application to show the error. Just browse to 
> [http://localhost:8080/redirect|http://localhost:8080/redirect.] and use the 
> browser's developer console of your choice. The CSP is not included if Wicket 
> performs a RestartResponseException with a WebPage instance like this
> {code:java}
> throw new RestartResponseException(new HomePage(new PageParameters()));{code}
> If you open the home page directly 
> [http://localhost:8080/|http://localhost:8080/redirect.] the response does 
> include a CSP.
> There is an additional test for the CSPRequestCycleListener with different 
> page classes as test parameters.
> Relates to https://issues.apache.org/jira/browse/WICKET-7028



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to