andruhon commented on a change in pull request #382: WICKET-6688 add RFC and
replace eval with DOM eval
URL: https://github.com/apache/wicket/pull/382#discussion_r323974920
##########
File path:
wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
##########
@@ -45,9 +51,22 @@ protected void init()
{
super.init();
- setHeaderResponseDecorator(response -> new
ResourceAggregator(new CspNonceHeaderResponse(response, getNonce())));
+ // Decorate all header items with nonce
+ setHeaderResponseDecorator(response -> new ResourceAggregator(
+ isCspApplicable() ? new
CspNonceHeaderResponse(response, getNonce()) : response
+ ));
+ // add nonce to ajax response
+ getAjaxRequestTargetListeners().add((new
AjaxRequestTarget.IListener()
+ {
+ @Override
+ public void onBeforeRespond(Map<String, Component> map,
AjaxRequestTarget target)
+ {
+ target.addMeta("nonce", getNonce());
Review comment:
@svenmeier meta added in CspNonceHeaderResponse is doing the same thing as
header. It just feeds the policy into the browser. Generally browsers wipe all
nonces from html on page load (i.e. nonce attr of script tag).
`document.querySelector("meta").getAttribute("content")` still does return
content with nonce, but I suspect the same thing which happened to script tags
could be applied soon. Also Somebody might prefer to only use response header,
but not meta.
That's why I prefer to send a nonce with response.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
