Hi, I was recently reviewing one of the PR (#7154 - "Wicket 9 upgrade"). This looks like its brought in some changes WRT content-security-policy - which has some implications for wicket-with-javascript.
I loaded the GS homepage, and I got a content-security-policy issue about some javascript. Tracking it down, it was single line of javascript https://github.com/geoserver/geoserver/blob/main/src/web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html#L42-L44 <script type="text/javascript"> $('input, textarea').placeholder(); </script> In order to fix this, I removed that <script>, and modified GeoserverBasePage#renderHeader to include: response.render(OnDomReadyHeaderItem.forScript("$('input, textarea').placeholder();")); Wicket will imbed that command in a dom-ready event. Something like this: [image: image.png] CSP adds the CSP header with a per-request nonce="..." that will allow this code block to execute (the CSP header nonce and the script nonce much match). The alternative for something like this would be to create a tiny JS file for the page that would have the $('input, textarea').placeholder(); code in it. This could be added, via wicket, in the same manner. A second alternative is adding a hash to the <script> tag - but I'm sure if I like that from a maintenance/security perspective. Is there any guidance for this? Also, this would mean removing any `onClick=` or `onChange=` handlers in the HTML to be attached by a JS command. Something like this: $("#someElement").on("change", function(event) { someFunction(this); } ); I've noticed that the Demo Requests page (a complex js-and-wicket page) isn't working anymore. I expect this is due to some click/change handlers. I will look into that tomorrow, but I didn't want to spend a bunch of time "doing the wrong thing" so I am asking here. Any guidance on how to proceed? Cheers, Dave
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
