Hi, "window.defaultStatus" could be easily replaced with console.log()
Those are usually used in DEV mode. I think it is fine to preserve them. As a last resort we can render the value as a response header. I remember Chromium has handling for some special response header and puts its value in Dev Tools > Performance tab. I don't recall the name of the header at the moment. On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <emond.papega...@gmail.com> wrote: > Hi all, > > Do you agree on this one? I see no use for these classes anymore, as > support for window.defaultStatus has been dropped by all major > browsers. They also log server time, but we have other and better > solutions for that. > > Best regards, > Emond > > On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <j...@apache.org> > wrote: > > > > Emond Papegaaij created WICKET-6745: > > --------------------------------------- > > > > Summary: CSP: inline JS in server and clienttime response > filters > > Key: WICKET-6745 > > URL: https://issues.apache.org/jira/browse/WICKET-6745 > > Project: Wicket > > Issue Type: Bug > > Components: wicket-core, wicket-examples > > Affects Versions: 9.0.0-M4 > > Reporter: Emond Papegaaij > > > > > > {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and > {{ServerHostNameAndTimeFilter}} all render inline script tags. Because > these tags are rendered in a non-standard way, the nonce is not added, > violating the CSP. > > > > These filters all put status information in {{window.defaultStatus}}. > This property has been deprecated for years and support has been removed in > most (if not all) browsers. My suggestion is to deprecate these classes in > core and remove the one in examples. In the deprecated version, there is no > need to fix the CSP violation. > > > > > > > > -- > > This message was sent by Atlassian Jira > > (v8.3.4#803005) >
