On Tue, Feb 4, 2020 at 9:51 PM Martin Grigorov <[email protected]> wrote:
> Hi, > > "window.defaultStatus" could be easily replaced with console.log() > > Those are usually used in DEV mode. I think it is fine to preserve them. > > As a last resort we can render the value as a response header. > I remember Chromium has handling for some special response header and puts > its value in Dev Tools > Performance tab. I don't recall the name of the > header at the moment. > https://ma.ttias.be/server-timings-chrome-devtools/ > > On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <[email protected]> > wrote: > >> Hi all, >> >> Do you agree on this one? I see no use for these classes anymore, as >> support for window.defaultStatus has been dropped by all major >> browsers. They also log server time, but we have other and better >> solutions for that. >> >> Best regards, >> Emond >> >> On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <[email protected]> >> wrote: >> > >> > Emond Papegaaij created WICKET-6745: >> > --------------------------------------- >> > >> > Summary: CSP: inline JS in server and clienttime response >> filters >> > Key: WICKET-6745 >> > URL: https://issues.apache.org/jira/browse/WICKET-6745 >> > Project: Wicket >> > Issue Type: Bug >> > Components: wicket-core, wicket-examples >> > Affects Versions: 9.0.0-M4 >> > Reporter: Emond Papegaaij >> > >> > >> > {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and >> {{ServerHostNameAndTimeFilter}} all render inline script tags. Because >> these tags are rendered in a non-standard way, the nonce is not added, >> violating the CSP. >> > >> > These filters all put status information in {{window.defaultStatus}}. >> This property has been deprecated for years and support has been removed in >> most (if not all) browsers. My suggestion is to deprecate these classes in >> core and remove the one in examples. In the deprecated version, there is no >> need to fix the CSP violation. >> > >> > >> > >> > -- >> > This message was sent by Atlassian Jira >> > (v8.3.4#803005) >> >
