svenmeier commented on a change in pull request #376: WICKET-6682 add CSP nonce
support: DecoratingHeaderResponse approach
URL: https://github.com/apache/wicket/pull/376#discussion_r303400169
##########
File path:
wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptHeaderItem.java
##########
@@ -365,15 +372,54 @@ protected final void
internalRenderJavaScriptReference(Response response, String
boolean isAjax =
RequestCycle.get().find(IPartialPageRequestHandler.class).isPresent();
// the url needs to be escaped when Ajax, because it will break
the Ajax Response XML (WICKET-4777)
CharSequence escapedUrl = isAjax ? Strings.escapeMarkup(url):
url;
-
- JavaScriptUtils.writeJavaScriptUrl(response, escapedUrl, id,
defer, charset, async);
+ AttributeMap attributes = AttributeMap.of(
+ HeaderItemAttribute.TYPE, "text/javascript",
+ HeaderItemAttribute.SCRIPT_SRC,
String.valueOf(escapedUrl)
+ );
+ if (id != null)
+ {
+ attributes.add(HeaderItemAttribute.ID, id);
+ }
+ if (defer)
+ {
+ attributes.add(HeaderItemAttribute.SCRIPT_DEFER,
"defer");
+ }
+ if (charset != null)
+ {
+ // XXX this attribute is not necessary for modern
browsers
+ attributes.add("charset", charset);
+ }
+ if (async)
+ {
+ attributes.add(HeaderItemAttribute.SCRIPT_ASYNC,
"async");
+ }
+ attributes.compute(HeaderItemAttribute.CSP_NONCE,
this::getNonce);
Review comment:
Why the hassle with lambdas? A few lines above a simple not-null check works
fine too.
I'd prefer a method in AttributeMap (what good is that class anyway), that
ignores an attribute if a null value is given.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
