On Thu, Feb 27, 2020 at 11:56 AM Ernesto Reinaldo Barreiro <reier...@gmail.com> wrote: > On Thu, Feb 27, 2020 at 12:33 PM Andrea Del Bene <an.delb...@gmail.com> > > In which way sub-frameworks should be affected? I mean, as far as I > > understand it, if we disable CSP blocking configuration everything should > > work "the old way", and that's why I would prefer to keep CSP disabled by > > default. > > > > Well if something is supported at core level then if associated projects > want to comply with this new feature, which might be ideal, then they will > have to be adapted (or not?). I'm not talking about not releasing the new > feature. I'm talking about not releasing as part of 9.x, as it was said to > be almost ready for release a few months ago, and deffer it to 10.x (and > try to release it soon).
As I've explained in the other thread, it is very likely that not much needs to be done in additional frameworks. Also, when a framework is not yet compliant with CSP, the user can temporarily disable CSP or switch to a less strict version. As explained in the user guide, this is just one line of code. The changes made to the core of Wicket (removing inline styling and js) were absolutely necessary to be able to support a strict CSP via Wicket or any other way. This clearly is a wish of our users (and a personal wish as well, because our application also needs it). Also I think this is truly is a very unique feature. I don't think any framework offers such a strict CSP out of the box with so less effort from the user. Best regards, Emond
