Ok, found the issue:
With my change for https://issues.apache.org/jira/browse/WICKET-6821 the
CSP header decorator now comes *after* a possible
FilteringHeaderResponse. In this case no header items is ever passed on
for CSP header decoration,
We have some implicit rules for decorators:
ResourceAggregator has to come first, then CSP and filtering should
happen after that.
I'm looking for a solution.
-1 to release 9.1.0 with this regression.
Have fun
Sven
On 03.10.20 14:04, Maxim Solodovnik wrote:
OK
the problem is caused by adding `FilteringHeaderResponse`
https://github.com/solomax/ajax-download/blob/master/src/main/java/org/apache/WicketApplication.java#L50
here is the quickstart https://github.com/solomax/ajax-download
On Sat, 3 Oct 2020 at 18:11, Maxim Solodovnik <solomax...@gmail.com>
wrote:
ls -1 webapps/openmeetings/WEB-INF/lib/wicket*
webapps/openmeetings/WEB-INF/lib/wicket-auth-roles-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-bootstrap-core-5.0.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-bootstrap-extensions-5.0.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-bootstrap-themes-5.0.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-core-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-devutils-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-extensions-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-ioc-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-9.0.0-M5.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-calendar-9.0.0-M5.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-core-9.0.0-M5.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-jquery-ui-plugins-9.0.0-M5.1.jar
webapps/openmeetings/WEB-INF/lib/wicket-native-websocket-core-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-native-websocket-javax-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-request-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-spring-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicketstuff-dashboard-core-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicketstuff-datastore-common-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicketstuff-datastore-hazelcast-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicketstuff-select2-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicketstuff-urlfragment-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-util-9.1.0.jar
webapps/openmeetings/WEB-INF/lib/wicket-webjars-3.0.0-M4.jar
same result, will try to create quickstart
On Sat, 3 Oct 2020 at 17:18, Maxim Solodovnik <solomax...@gmail.com>
wrote:
Tomcat 9.0.38.0 (I doubt it is important)
all jars are in webapps/openmeetings/WEB-INF/lib
ls -1 wicket*
wicket-auth-roles-9.1.0.jar
wicket-bootstrap-core-5.0.1.jar
wicket-bootstrap-extensions-5.0.1.jar
wicket-bootstrap-themes-5.0.1.jar
wicket-core-9.1.0.jar
wicket-devutils-9.1.0.jar
wicket-extensions-9.1.0.jar
wicket-ioc-9.1.0.jar
wicket-jquery-ui-9.0.0-M5.1.jar
wicket-jquery-ui-calendar-9.0.0-M5.1.jar
wicket-jquery-ui-core-9.0.0-M5.1.jar
wicket-jquery-ui-plugins-9.0.0-M5.1.jar
wicket-native-websocket-core-9.1.0.jar
wicket-native-websocket-javax-9.1.0.jar
wicket-request-9.1.0.jar
wicket-spring-9.1.0.jar
wicketstuff-dashboard-core-9.0.0.jar
wicketstuff-datastore-common-9.0.0.jar
wicketstuff-datastore-hazelcast-9.0.0.jar
wicketstuff-select2-9.0.0.jar
wicketstuff-urlfragment-9.0.0.jar
wicket-util-9.1.0.jar
wicket-webjars-3.0.0-M4.jar
I'll try to re-build wicketstuff using 9.1.0 and try again
On Sat, 3 Oct 2020 at 16:59, Sven Meier <s...@meiers.net> wrote:
The CSP example works fine.
Do you have Wicket 9.0 and 9.1 on your classpath?
Sven
On 03.10.20 08:13, Maxim Solodovnik wrote:
Hello Sven,
I was aware of this JIRA
and have double-check with debugger:
in `WebApplication.validateInit()`
`getCspSettings().isEnabled() == true`
and `getCspSettings().enforce(this);` was called ....
On Sat, 3 Oct 2020 at 13:10, Sven Meier <s...@meiers.net> wrote:
Hi,
could be https://issues.apache.org/jira/browse/WICKET-6821
Do you configure your CSP in #init()?
Sven
Am 3. Oktober 2020 06:18:21 MESZ schrieb Maxim Solodovnik <
solomax...@gmail.com>:
sorry for double posting,
here are the first results: CSPNonceHeaderResponseDecorator was
set
up,
but
breakpoint in it's `render` method wasn't hit
something weird ....
On Sat, 3 Oct 2020 at 08:47, Maxim Solodovnik <
solomax...@gmail.com>
wrote:
Hello All,
I have started testing this new release yesterday
Checksum and signature as well as local build from sources are OK
BUT my main application is not working at all due to zero
resources
are
loaded due to CSP errors
(we do have CSP rules in charge and CSP enabled)
Everything works as expected in Wicket 9.0.0
Are there any migration guides or something like this?
Advise on where should I start digging is highly appreciated
p.s. I should test SNAPSHOTs earlier :(((
On Sat, 3 Oct 2020 at 02:48, Andrea Del Bene <
an.delb...@gmail.com>
wrote:
This is a vote to release Apache Wicket 9.1.0
Please download the source distributions found in our staging
area
linked below.
I have included the signatures for both the source archives.
This
vote
lasts for 72 hours minimum.
[ ] Yes, release Apache Wicket 9.1.0
[ ] No, don't release Apache Wicket 9.1.0, because ...
Distributions, changelog, keys and signatures can be found at:
https://dist.apache.org/repos/dist/dev/wicket/9.1.0
Staging repository:
https://repository.apache.org/content/repositories/orgapachewicket-1153/
The binaries are available in the above link, as are a staging
repository for Maven. Typically the vote is on the source, but
should
you find a problem with one of the binaries, please let me
know, I
can
re-roll them some way or the other.
Staging git repository data:
Repository: g...@github.com:bitstorm/wicket.git
Branch: build/wicket-9.1.0
Release tag: rel/wicket-9.1.0
========================================================================
The signatures for the source release artefacts:
Signature for apache-wicket-9.1.0.zip:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl93Wc8ACgkQh48B+qjT
VuHC7w//dRcN3FzJ565Wqk+oi9bTd6DiFQgNQPK5YzyJ3D8PrL7WJh50V7MmE3OS
Sv1JgMpnE5nNQXwxG95rrDYVoNU9CMcMML1sFzsYyJndbZzQCnRS+ICm7ngslUjZ
dc92bEsTqJcL8pj1W3wSqmjdgFqD8FGRqRwkO1NI4KC9/TIh3N2WwhwAZALPfs4r
X7yo+UQbpjwRLcSbOf+x4qFQJV7p6xES7XEK5CSrqqZzHCu7yi/YCsbk9tevN4g5
7czDeBbW/6oz0b7n47k1XZemzgldwULFk5fzo75eau+Wxn+zcWCcOLAq6PrkuqKF
6+3kVo4nFeX+6MYyTPtM80e/mz5o9MyhpZB7Qz5PEboqr1he3OW/FezC0D1dvfAU
x9YSGtOPOotveLq8P0w89PUwV2SI0UsrdL/vymhvZZf2F5ZmpR41cYd8hCr6FzSQ
zNLqBc32r7DyhncDIL9eHlDiDrFcU8viXWdX8+RWHx/V2eqloExk+1pS1xNFlACH
X9vBFVB9CGVXeeYrRiBiBsz8iueCh2GCdJp/paCLFod5R3KxzKnLzthIajIcoL8v
tLuXSiqeHJip/A/eDnmFy8ROZOkq5UDUVEyVp5fmtyERFBuWk4LmAZuFe7sAu1Rm
GJdKzRuDlACFZWd5JKzBO77XsvIcBGC1Dg+AmGmYGGddBNMlvTU=
=pBMm
-----END PGP SIGNATURE-----
Signature for apache-wicket-9.1.0.tar.gz:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl93Wc4ACgkQh48B+qjT
VuFisw//WCUwQEK4/yaguX948uGShjASOIf2N+umS+68tQRbrefNVpoTk3E1btvH
kfZfx9JwZNAxu0W+9d4edcP/CY0cQ/Fl9kyIwCMokaZ+T6Uf74WKs+fT3klhKEY2
HFj/xP5VgeCr1BecP709qutJMJ37RHre2iZRGOdALn+gV3T+A9rT8XVx8dMCqQ7Z
EjETgvZVpuaVbl4evCbUdsX5fjICVH0VhkFNcKGj0F8fQ5mIubVds/NpF2n0+ie0
blkUOqhRRniYcFPoaQKm8IrCRCKcwW5o67pthFaejJOz5wMrEJP0vIeVzY0bLHZL
gzHWOU1wF++NB3WeA4+a7j6RjxDuLFTvABjlStRhs3mAlan93alFxdCYl7RWI6SX
HtsVd0lW8Ug54zSVi+zCQbcg3AVFpZxpvL5URk+p40L03aPWh8JNbghffpo/j167
EKp81PEcSYXtMhjdNXbVHP1NKZmsFJgSKcx3TLuoaOVDuCgOSw+tg3tQjOcOiqak
0AZRamhZartVZ22BRuToAEQpP4c0iqC6Qq/2ZwSsKi77AYW7Vppdo/NExm2cFfIs
RlA8xoefyxif/OskR+MpOZZHttNi5a9MRbcTUmkp5xsEijHZOJjUIVv5cAkOQKNo
lfO006p8maAu09tkkEYUyVq0P5KQ0kgWNp0u3JsJdxzHlSVqxmk=
=Hoxj
-----END PGP SIGNATURE-----
========================================================================
CHANGELOG for 9.1.0:
** Bug
* [WICKET-6702] - AsynchronousPageStore with
NotDetachedModelChecker - "Not detached model found" exception
on
several fast sequential Ajax calls
* [WICKET-6802] - FilePageStore writing to
UserDefinedFileAttributeView might be null
* [WICKET-6803] - wicket-objectsizeof-agent has no valid
automatic
module name
* [WICKET-6806] - CSP header response decorator breaks
JavaScriptFilteredIntoFooterHeaderResponse
* [WICKET-6808] - Cannot add page to AjaxRequestTarget
* [WICKET-6810] - Asynchronous+encrypted pagestore leads
to
WicketRuntimeException
* [WICKET-6813] - Setting child-src does not update
frame-src
after
initial assignment
* [WICKET-6818] - NPE in WicketEndpoint onClose
* [WICKET-6822] - AsynchronousPageStore Potential Memory
Leak
* [WICKET-6825] - wicket-ioc 9.0.0 throws IAE with JDK14,
still
includes outdated ASM 7.1.0 in cglib-nodep
* [WICKET-6837] - Jupiter engine transitively included
in war
file
** New Feature
* [WICKET-6805] - Add Cross-Origin Opener Policy and
Cross-Origin
Embedder Policy support
** Improvement
* [WICKET-6786] - CsrfPreventionRequestCycleListener
should
support
Fetch Metadata Request Headers
* [WICKET-6807] - Fake Submitting Button
* [WICKET-6821] - Completely disable CSP support
* [WICKET-6824] - Use concatenation instead of
String.format
for
frequently called methods
* [WICKET-6826] - Improve performance and reduce
allocations
for
Behaviors
* [WICKET-6827] - Improve performance of Strings.join and
Strings.replaceAll
* [WICKET-6828] - Wrong tree branch icon with hidden
children
* [WICKET-6829] - Use String.isEmpty() instead of
"".equals(...)
* [WICKET-6830] - Convert Behaviors into a static utility
class
to
reduce allocations
* [WICKET-6831] - Try to flush the response before detach
* [WICKET-6833] - Reduce allocations when merging page
parameters
* [WICKET-6835] - Improve performance of
AbstractMapper.getPlaceholder
* [WICKET-6838] - Improve performance of Strings.split
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
--
Best regards,
Maxim
