papegaaij opened a new pull request #399: WICKET-6727: Configurable Content-Security-Policy URL: https://github.com/apache/wicket/pull/399 I'm opening this PR to get some feedback on the suggested changes. The structure of the code is what I have in mind for this. I do know the documentation is still lacking a bit, but I plan on updating that when the code is ready to be merged. The most important notes are: - CSP is now enabled by default, but still with the unsafeEval() profile. I've clicked through several examples, and they worked fine. It does complain about a font css that cannot be loaded. - CSP is part of WebApplication and configured via `getCSP()`. The header response decorator is automatically registered and will add nonces when required. The previous header decorator is removed. - The CSP is rendered as HTTP header on every Page request, rather than in the markup. The nonce is changed on every request.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
