martin-g commented on a change in pull request #382: WICKET-6688 add RFC and
replace eval with DOM eval
URL: https://github.com/apache/wicket/pull/382#discussion_r322741567
##########
File path:
wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
##########
@@ -69,4 +88,19 @@ public static String getNonce()
}
return nonce;
}
+
+ public static boolean isCspApplicable()
+ {
+ Request request = RequestCycle.get().getRequest();
+ if (request instanceof ServletWebRequest)
+ {
+ // Unfortunately Edge does things worse than just
"doesn't support" it does support the CSP,
+ // but the 'nonce' and 'strict-dynamic' instructions
were broken for ages.
+ // Edge issue
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+ // It's OK in new Edge chromium beta, also the new Edge
has Edg/ in User-Agent header instead of Edge/
+ return
!((ServletWebRequest)request).getContainerRequest().getHeader("User-Agent").contains("Edge/");
Review comment:
Does that mean that each and every application out there needs to add this
snippet of code ?
One of the reasons why CSP has been postponed for few years is that the
browser support was problematic for long time.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
