andruhon commented on a change in pull request #382: WICKET-6688 add RFC and replace eval with DOM eval URL: https://github.com/apache/wicket/pull/382#discussion_r323974920
########## File path: wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java ########## @@ -45,9 +51,22 @@ protected void init() { super.init(); - setHeaderResponseDecorator(response -> new ResourceAggregator(new CspNonceHeaderResponse(response, getNonce()))); + // Decorate all header items with nonce + setHeaderResponseDecorator(response -> new ResourceAggregator( + isCspApplicable() ? new CspNonceHeaderResponse(response, getNonce()) : response + )); + // add nonce to ajax response + getAjaxRequestTargetListeners().add((new AjaxRequestTarget.IListener() + { + @Override + public void onBeforeRespond(Map<String, Component> map, AjaxRequestTarget target) + { + target.addMeta("nonce", getNonce()); Review comment: @svenmeier meta added in CspNonceHeaderResponse is doing the same thing as header. It just feeds the policy into the browser. Generally browsers wipe all nonces from html on page load (i.e. nonce attr of script tag). `document.querySelector("meta").getAttribute("content")` still does return content with nonce, but I suspect the same thing which happened to script tags could be applied soon. Also Somebody might prefer to only use response header, but not meta. That's why I prefer to send a nonce with response. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services