+1 - thanks for taking care of this! Regards Julian
On Mon, Feb 15, 2021 at 10:48 AM Konrad Windszus <konra...@gmx.de> wrote: > > +1 > > Konrad > > > On 15. Feb 2021, at 10:46, Radu Cotescu <r...@apache.org> wrote: > > > > Hi, > > > > I have to work on an update for the XSS Bundle and noticed that the adapter > > factory is still around. Is it ok if I revert the change from [2] as well? > > > > Thanks, > > Radu > > > > [2] - https://issues.apache.org/jira/browse/SLING-9874 > > > >> On 9 Nov 2020, at 17:02, Bertrand Delacretaz <bdelacre...@apache.org> > >> wrote: > >> > >> Hi, > >> > >> On Mon, Nov 9, 2020 at 1:31 PM Julian Sedding <jsedd...@gmail.com> wrote: > >>> ...In SLING-9874 I added an adapter factory to the XSS Protection API > >>> module, which can adapt a SlingHttpServletRequest or a > >>> ResourceResolver to an XSSAPI... > >> > >> Although we've been doing such things in the past I don't think it's a > >> good idea, as it's adapting a Request to <something different which is > >> not a request>. > >> > >> IOW I think adaptation should, in general, only be used to convert > >> between "different views of the same thing" which is not the case > >> here. Converting a Sling Resource to a JCR Node for example is clearly > >> "different views of the same thing", so ok from that perspective. > >> > >> I have the impression that there's an implicit consensus among several > >> of us about this but we might want to document it better. Sorry that > >> this lack of clarity is causing extra work for you. > >> > >>> ...Now, according to comments in SLING-9874 it seems that Konrad and Radu > >>> are opposed to this adapter factory... > >> > >> Given the above comments I also prefer that you omit that adapter > >> factory. I suppose the XSSAPI is an OSGi service, if that's the case > >> there are other, better, less "magic" ways to acquire it. > >> > >> -Bertrand > > >