Thanks a lot Sven :) sorry I have not tested before On Sat, 3 Oct 2020 at 22:30, Sven Meier <s...@meiers.net> wrote:
> Ok, found the issue: > > With my change for https://issues.apache.org/jira/browse/WICKET-6821 the > CSP header decorator now comes *after* a possible > FilteringHeaderResponse. In this case no header items is ever passed on > for CSP header decoration, > > We have some implicit rules for decorators: > ResourceAggregator has to come first, then CSP and filtering should > happen after that. > > I'm looking for a solution. > > -1 to release 9.1.0 with this regression. > > Have fun > Sven > > > On 03.10.20 14:04, Maxim Solodovnik wrote: > > OK > > > > the problem is caused by adding `FilteringHeaderResponse` > > > https://github.com/solomax/ajax-download/blob/master/src/main/java/org/apache/WicketApplication.java#L50 > > > > here is the quickstart https://github.com/solomax/ajax-download > > > > On Sat, 3 Oct 2020 at 18:11, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > > >> ls -1 webapps/openmeetings/WEB-INF/lib/wicket* > >> webapps/openmeetings/WEB-INF/lib/wicket-auth-roles-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-bootstrap-core-5.0.1.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-bootstrap-extensions-5.0.1.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-bootstrap-themes-5.0.1.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-core-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-devutils-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-extensions-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-ioc-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-9.0.0-M5.1.jar > >> > webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-calendar-9.0.0-M5.1.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-core-9.0.0-M5.1.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-plugins-9.0.0-M5.1.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-native-websocket-core-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-native-websocket-javax-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-request-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-spring-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicketstuff-dashboard-core-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicketstuff-datastore-common-9.1.0.jar > >> > webapps/openmeetings/WEB-INF/lib/wicketstuff-datastore-hazelcast-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicketstuff-select2-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicketstuff-urlfragment-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-util-9.1.0.jar > >> webapps/openmeetings/WEB-INF/lib/wicket-webjars-3.0.0-M4.jar > >> > >> > >> same result, will try to create quickstart > >> > >> On Sat, 3 Oct 2020 at 17:18, Maxim Solodovnik <solomax...@gmail.com> > >> wrote: > >> > >>> Tomcat 9.0.38.0 (I doubt it is important) > >>> > >>> all jars are in webapps/openmeetings/WEB-INF/lib > >>> > >>> ls -1 wicket* > >>> > >>> wicket-auth-roles-9.1.0.jar > >>> wicket-bootstrap-core-5.0.1.jar > >>> wicket-bootstrap-extensions-5.0.1.jar > >>> wicket-bootstrap-themes-5.0.1.jar > >>> wicket-core-9.1.0.jar > >>> wicket-devutils-9.1.0.jar > >>> wicket-extensions-9.1.0.jar > >>> wicket-ioc-9.1.0.jar > >>> wicket-jquery-ui-9.0.0-M5.1.jar > >>> wicket-jquery-ui-calendar-9.0.0-M5.1.jar > >>> wicket-jquery-ui-core-9.0.0-M5.1.jar > >>> wicket-jquery-ui-plugins-9.0.0-M5.1.jar > >>> wicket-native-websocket-core-9.1.0.jar > >>> wicket-native-websocket-javax-9.1.0.jar > >>> wicket-request-9.1.0.jar > >>> wicket-spring-9.1.0.jar > >>> wicketstuff-dashboard-core-9.0.0.jar > >>> wicketstuff-datastore-common-9.0.0.jar > >>> wicketstuff-datastore-hazelcast-9.0.0.jar > >>> wicketstuff-select2-9.0.0.jar > >>> wicketstuff-urlfragment-9.0.0.jar > >>> wicket-util-9.1.0.jar > >>> wicket-webjars-3.0.0-M4.jar > >>> > >>> I'll try to re-build wicketstuff using 9.1.0 and try again > >>> > >>> On Sat, 3 Oct 2020 at 16:59, Sven Meier <s...@meiers.net> wrote: > >>> > >>>> The CSP example works fine. > >>>> > >>>> Do you have Wicket 9.0 and 9.1 on your classpath? > >>>> > >>>> Sven > >>>> > >>>> > >>>> On 03.10.20 08:13, Maxim Solodovnik wrote: > >>>>> Hello Sven, > >>>>> > >>>>> I was aware of this JIRA > >>>>> and have double-check with debugger: > >>>>> in `WebApplication.validateInit()` > >>>>> > >>>>> `getCspSettings().isEnabled() == true` > >>>>> and `getCspSettings().enforce(this);` was called .... > >>>>> > >>>>> > >>>>> > >>>>> On Sat, 3 Oct 2020 at 13:10, Sven Meier <s...@meiers.net> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> could be https://issues.apache.org/jira/browse/WICKET-6821 > >>>>>> > >>>>>> Do you configure your CSP in #init()? > >>>>>> > >>>>>> Sven > >>>>>> > >>>>>> > >>>>>> Am 3. Oktober 2020 06:18:21 MESZ schrieb Maxim Solodovnik < > >>>>>> solomax...@gmail.com>: > >>>>>>> sorry for double posting, > >>>>>>> > >>>>>>> here are the first results: CSPNonceHeaderResponseDecorator was set > >>>> up, > >>>>>>> but > >>>>>>> breakpoint in it's `render` method wasn't hit > >>>>>>> something weird .... > >>>>>>> > >>>>>>> On Sat, 3 Oct 2020 at 08:47, Maxim Solodovnik < > solomax...@gmail.com> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hello All, > >>>>>>>> > >>>>>>>> I have started testing this new release yesterday > >>>>>>>> Checksum and signature as well as local build from sources are OK > >>>>>>>> > >>>>>>>> BUT my main application is not working at all due to zero > resources > >>>>>>> are > >>>>>>>> loaded due to CSP errors > >>>>>>>> (we do have CSP rules in charge and CSP enabled) > >>>>>>>> Everything works as expected in Wicket 9.0.0 > >>>>>>>> > >>>>>>>> Are there any migration guides or something like this? > >>>>>>>> Advise on where should I start digging is highly appreciated > >>>>>>>> > >>>>>>>> p.s. I should test SNAPSHOTs earlier :((( > >>>>>>>> > >>>>>>>> On Sat, 3 Oct 2020 at 02:48, Andrea Del Bene < > an.delb...@gmail.com> > >>>>>>> wrote: > >>>>>>>>> This is a vote to release Apache Wicket 9.1.0 > >>>>>>>>> > >>>>>>>>> Please download the source distributions found in our staging > area > >>>>>>>>> linked below. > >>>>>>>>> > >>>>>>>>> I have included the signatures for both the source archives. This > >>>>>>> vote > >>>>>>>>> lasts for 72 hours minimum. > >>>>>>>>> > >>>>>>>>> [ ] Yes, release Apache Wicket 9.1.0 > >>>>>>>>> [ ] No, don't release Apache Wicket 9.1.0, because ... > >>>>>>>>> > >>>>>>>>> Distributions, changelog, keys and signatures can be found at: > >>>>>>>>> > >>>>>>>>> https://dist.apache.org/repos/dist/dev/wicket/9.1.0 > >>>>>>>>> > >>>>>>>>> Staging repository: > >>>>>>>>> > >>>>>>>>> > >>>> > https://repository.apache.org/content/repositories/orgapachewicket-1153/ > >>>>>>>>> The binaries are available in the above link, as are a staging > >>>>>>>>> repository for Maven. Typically the vote is on the source, but > >>>>>>> should > >>>>>>>>> you find a problem with one of the binaries, please let me know, > I > >>>>>>> can > >>>>>>>>> re-roll them some way or the other. > >>>>>>>>> > >>>>>>>>> Staging git repository data: > >>>>>>>>> > >>>>>>>>> Repository: g...@github.com:bitstorm/wicket.git > >>>>>>>>> Branch: build/wicket-9.1.0 > >>>>>>>>> Release tag: rel/wicket-9.1.0 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>> > ======================================================================== > >>>>>>>>> The signatures for the source release artefacts: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Signature for apache-wicket-9.1.0.zip: > >>>>>>>>> > >>>>>>>>> -----BEGIN PGP SIGNATURE----- > >>>>>>>>> > >>>>>>>>> iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl93Wc8ACgkQh48B+qjT > >>>>>>>>> VuHC7w//dRcN3FzJ565Wqk+oi9bTd6DiFQgNQPK5YzyJ3D8PrL7WJh50V7MmE3OS > >>>>>>>>> Sv1JgMpnE5nNQXwxG95rrDYVoNU9CMcMML1sFzsYyJndbZzQCnRS+ICm7ngslUjZ > >>>>>>>>> dc92bEsTqJcL8pj1W3wSqmjdgFqD8FGRqRwkO1NI4KC9/TIh3N2WwhwAZALPfs4r > >>>>>>>>> X7yo+UQbpjwRLcSbOf+x4qFQJV7p6xES7XEK5CSrqqZzHCu7yi/YCsbk9tevN4g5 > >>>>>>>>> 7czDeBbW/6oz0b7n47k1XZemzgldwULFk5fzo75eau+Wxn+zcWCcOLAq6PrkuqKF > >>>>>>>>> 6+3kVo4nFeX+6MYyTPtM80e/mz5o9MyhpZB7Qz5PEboqr1he3OW/FezC0D1dvfAU > >>>>>>>>> x9YSGtOPOotveLq8P0w89PUwV2SI0UsrdL/vymhvZZf2F5ZmpR41cYd8hCr6FzSQ > >>>>>>>>> zNLqBc32r7DyhncDIL9eHlDiDrFcU8viXWdX8+RWHx/V2eqloExk+1pS1xNFlACH > >>>>>>>>> X9vBFVB9CGVXeeYrRiBiBsz8iueCh2GCdJp/paCLFod5R3KxzKnLzthIajIcoL8v > >>>>>>>>> tLuXSiqeHJip/A/eDnmFy8ROZOkq5UDUVEyVp5fmtyERFBuWk4LmAZuFe7sAu1Rm > >>>>>>>>> GJdKzRuDlACFZWd5JKzBO77XsvIcBGC1Dg+AmGmYGGddBNMlvTU= > >>>>>>>>> =pBMm > >>>>>>>>> -----END PGP SIGNATURE----- > >>>>>>>>> > >>>>>>>>> Signature for apache-wicket-9.1.0.tar.gz: > >>>>>>>>> > >>>>>>>>> -----BEGIN PGP SIGNATURE----- > >>>>>>>>> > >>>>>>>>> iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl93Wc4ACgkQh48B+qjT > >>>>>>>>> VuFisw//WCUwQEK4/yaguX948uGShjASOIf2N+umS+68tQRbrefNVpoTk3E1btvH > >>>>>>>>> kfZfx9JwZNAxu0W+9d4edcP/CY0cQ/Fl9kyIwCMokaZ+T6Uf74WKs+fT3klhKEY2 > >>>>>>>>> HFj/xP5VgeCr1BecP709qutJMJ37RHre2iZRGOdALn+gV3T+A9rT8XVx8dMCqQ7Z > >>>>>>>>> EjETgvZVpuaVbl4evCbUdsX5fjICVH0VhkFNcKGj0F8fQ5mIubVds/NpF2n0+ie0 > >>>>>>>>> blkUOqhRRniYcFPoaQKm8IrCRCKcwW5o67pthFaejJOz5wMrEJP0vIeVzY0bLHZL > >>>>>>>>> gzHWOU1wF++NB3WeA4+a7j6RjxDuLFTvABjlStRhs3mAlan93alFxdCYl7RWI6SX > >>>>>>>>> HtsVd0lW8Ug54zSVi+zCQbcg3AVFpZxpvL5URk+p40L03aPWh8JNbghffpo/j167 > >>>>>>>>> EKp81PEcSYXtMhjdNXbVHP1NKZmsFJgSKcx3TLuoaOVDuCgOSw+tg3tQjOcOiqak > >>>>>>>>> 0AZRamhZartVZ22BRuToAEQpP4c0iqC6Qq/2ZwSsKi77AYW7Vppdo/NExm2cFfIs > >>>>>>>>> RlA8xoefyxif/OskR+MpOZZHttNi5a9MRbcTUmkp5xsEijHZOJjUIVv5cAkOQKNo > >>>>>>>>> lfO006p8maAu09tkkEYUyVq0P5KQ0kgWNp0u3JsJdxzHlSVqxmk= > >>>>>>>>> =Hoxj > >>>>>>>>> -----END PGP SIGNATURE----- > >>>>>>>>> > >>>>>>>>> > >>>> > ======================================================================== > >>>>>>>>> CHANGELOG for 9.1.0: > >>>>>>>>> > >>>>>>>>> ** Bug > >>>>>>>>> > >>>>>>>>> * [WICKET-6702] - AsynchronousPageStore with > >>>>>>>>> NotDetachedModelChecker - "Not detached model found" exception on > >>>>>>>>> several fast sequential Ajax calls > >>>>>>>>> * [WICKET-6802] - FilePageStore writing to > >>>>>>>>> UserDefinedFileAttributeView might be null > >>>>>>>>> * [WICKET-6803] - wicket-objectsizeof-agent has no valid > >>>>>>> automatic > >>>>>>>>> module name > >>>>>>>>> * [WICKET-6806] - CSP header response decorator breaks > >>>>>>>>> JavaScriptFilteredIntoFooterHeaderResponse > >>>>>>>>> * [WICKET-6808] - Cannot add page to AjaxRequestTarget > >>>>>>>>> * [WICKET-6810] - Asynchronous+encrypted pagestore leads > to > >>>>>>>>> WicketRuntimeException > >>>>>>>>> * [WICKET-6813] - Setting child-src does not update > frame-src > >>>>>>> after > >>>>>>>>> initial assignment > >>>>>>>>> * [WICKET-6818] - NPE in WicketEndpoint onClose > >>>>>>>>> * [WICKET-6822] - AsynchronousPageStore Potential Memory > Leak > >>>>>>>>> * [WICKET-6825] - wicket-ioc 9.0.0 throws IAE with JDK14, > >>>> still > >>>>>>>>> includes outdated ASM 7.1.0 in cglib-nodep > >>>>>>>>> * [WICKET-6837] - Jupiter engine transitively included in > war > >>>>>>> file > >>>>>>>>> ** New Feature > >>>>>>>>> > >>>>>>>>> * [WICKET-6805] - Add Cross-Origin Opener Policy and > >>>>>>> Cross-Origin > >>>>>>>>> Embedder Policy support > >>>>>>>>> > >>>>>>>>> ** Improvement > >>>>>>>>> > >>>>>>>>> * [WICKET-6786] - CsrfPreventionRequestCycleListener > should > >>>>>>> support > >>>>>>>>> Fetch Metadata Request Headers > >>>>>>>>> * [WICKET-6807] - Fake Submitting Button > >>>>>>>>> * [WICKET-6821] - Completely disable CSP support > >>>>>>>>> * [WICKET-6824] - Use concatenation instead of > String.format > >>>>>>> for > >>>>>>>>> frequently called methods > >>>>>>>>> * [WICKET-6826] - Improve performance and reduce > allocations > >>>>>>> for > >>>>>>>>> Behaviors > >>>>>>>>> * [WICKET-6827] - Improve performance of Strings.join and > >>>>>>>>> Strings.replaceAll > >>>>>>>>> * [WICKET-6828] - Wrong tree branch icon with hidden > children > >>>>>>>>> * [WICKET-6829] - Use String.isEmpty() instead of > >>>>>>> "".equals(...) > >>>>>>>>> * [WICKET-6830] - Convert Behaviors into a static utility > >>>> class > >>>>>>> to > >>>>>>>>> reduce allocations > >>>>>>>>> * [WICKET-6831] - Try to flush the response before detach > >>>>>>>>> * [WICKET-6833] - Reduce allocations when merging page > >>>>>>> parameters > >>>>>>>>> * [WICKET-6835] - Improve performance of > >>>>>>>>> AbstractMapper.getPlaceholder > >>>>>>>>> * [WICKET-6838] - Improve performance of Strings.split > >>>>>>>>> > >>>>>>>>> > >>>>>>>> -- > >>>>>>>> Best regards, > >>>>>>>> Maxim > >>>>>>>> > >>>>>>> -- > >>>>>>> Best regards, > >>>>>>> Maxim > >>> > >>> -- > >>> Best regards, > >>> Maxim > >>> > >> > >> -- > >> Best regards, > >> Maxim > >> > > > -- Best regards, Maxim