salcho opened a new pull request #439: URL: https://github.com/apache/wicket/pull/439
Hello Wicket devs, This PR builds Fetch Metadata support on top of Wicket's existing CSRF protection, namely: - If a request has `Sec-Fetch-*` headers (i.e. comes from a modern browser), Fetch Metadata will be preferred. Otherwise, we will fall back to using the existing cross-request checks. - One default Resource Isolation Policy is provided based on [https://web.dev/fetch-metadata/](https://web.dev/fetch-metadata/), which prevents all major cross-site request forgery attacks. - If the `Origin` or `Referer` headers are present, Fetch Metadata will apply the same exemptions as the existing Origin-based protection, i.e. allowing cross-origin requests from exempted origins. - The `Vary` header has been added to responses through `onEndRequest` to ensure that any cached responses include Fetch Metadata headers in their key. This is an added layer of security against cache poisoning. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org