On Thu, Mar 12, 2020 at 3:34 PM Martin Grigorov <mgrigo...@apache.org>
wrote:

>
>
> On Thu, Mar 12, 2020 at 3:03 PM Emond Papegaaij <emond.papega...@gmail.com>
> wrote:
>
>> Hi Sven,
>>
>> Yes, you might be right. When rendering another page, normally the
>> header will be overridden when the second handler is resolved.
>> However, this will not happen when the page is not protected
>> (protectedPageFilter). Do you see a solution for this? Maybe recording
>> the desired action in the RequestCycle per handler, so the last
>> handler will always override the previous one? The action can then be
>> performed in onEndRequest. It would be nice if we had some tests for
>> this, but I'm not that experienced in writing tests with WicketTester
>> :)
>>
>
> One is never too old to learn how to write tests with WicketTester! ;-)
>

Actually, every time you look into some part of Wicket code you find things
to improve.
Go look into it, Emond! :-)


>
>
>>
>> Setting the header on a resource usually doesn't make sense, but
>> doesn't hurt either. I haven't found a clear explanation of how CSP
>> values interact across requests. For example, for js you can use
>> strict-dynamic, but this doesn't apply to CSS, which breaks CSS loaded
>> via js.
>>
>> Best regards,
>> Emond
>>
>> On Thu, Mar 12, 2020 at 12:28 PM Sven Meier <s...@meiers.net> wrote:
>> >
>> > Hi Emond,
>> >
>> > it seems to me the CSPRequestCycleListener might add CSP headers
>> > prematurely.
>> >
>> > What if a request comes in for one page and another page is rendered in
>> > response?
>> > The listener will already add the headers when the request handler is
>> > resolved for the former page.
>> >
>> > What if the page streams back a resource? Setting the headers doesn't
>> > make sense then, does it?
>> >
>> > Sven
>> >
>>
>

Reply via email to