David, I have returned from vacation and am catching up with email. I believe you have restored the demo request page.
What approach did you end up using? - - Jody Garnett On Aug 7, 2024 at 11:25:15 PM, David Blasby <dbla...@gmail.com> wrote: > Hi, > > I was recently reviewing one of the PR (#7154 - "Wicket 9 upgrade"). This > looks like its brought in some changes WRT content-security-policy - which > has some implications for wicket-with-javascript. > > I loaded the GS homepage, and I got a content-security-policy issue about > some javascript. > > Tracking it down, it was single line of javascript > > > https://github.com/geoserver/geoserver/blob/main/src/web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html#L42-L44 > > <script type="text/javascript"> > $('input, textarea').placeholder(); > </script> > > In order to fix this, I removed that <script>, and modified > GeoserverBasePage#renderHeader to include: > > response.render(OnDomReadyHeaderItem.forScript("$('input, > textarea').placeholder();")); > > Wicket will imbed that command in a dom-ready event. Something like this: > > [image: image.png] > > CSP adds the CSP header with a per-request nonce="..." that will allow > this code block to execute (the CSP header nonce and the script nonce much > match). > > The alternative for something like this would be to create a tiny JS file > for the page that would have the $('input, textarea').placeholder(); code > in it. This could be added, via wicket, in the same manner. > > A second alternative is adding a hash to the <script> tag - but I'm sure > if I like that from a maintenance/security perspective. > > Is there any guidance for this? > > > Also, this would mean removing any `onClick=` or `onChange=` handlers in > the HTML to be attached by a JS command. Something like this: > > $("#someElement").on("change", function(event) { > someFunction(this); > > } ); > > I've noticed that the Demo Requests page (a complex js-and-wicket page) > isn't working anymore. I expect this is due to some click/change > handlers. I will look into that tomorrow, but I didn't want to spend a > bunch of time "doing the wrong thing" so I am asking here. > > Any guidance on how to proceed? > > Cheers, > Dave > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
