On 2020/11/24 15:49:58, Francesco Chicchiricc�� <ilgro...@apache.org> wrote: > Hi, > in a Wicket 8.8.0 application, I am following what suggested in > > https://ci.apache.org/projects/wicket/guide/8.x/single.html#_external_security_checks > > to add Content-Security-Policy header into response. > > My application extends AuthenticatedWebApplication so, when accessing the > root page, I receive an HTTP 302 redirect to > > /login;jsessionid=<something> > > which is expected. > > Unfortunately, as far as I can tell, the Content-Security-Policy header is > included in the initial request to the root page but missing when I am > getting the login page, following the redirect.
Further information: with -Dwicket.configuration=deployment GET / returns HTTP/1.1 302 Set-Cookie: JSESSIONID=31A285C6E9F7B7F238F58B7DFC3DBD2B; Path=/syncope-console; Secure; HttpOnly Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src https: X-Content-Type-Options: nosniff Date: Wed, 25 Nov 2020 09:04:18 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, no-store Location: ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B Content-Length: 0 GET ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B returns HTTP/1.1 302 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src https: X-Content-Type-Options: nosniff Date: Wed, 25 Nov 2020 09:05:22 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, no-store Location: ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B?1 Content-Length: 0 and finally GET ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B?1 returns HTTP/1.1 200 Date: Wed, 25 Nov 2020 09:06:14 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, no-store Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked <!DOCTYPE html> <!-- content stripped --> I am observing that with -Dwicket.configuration=development even the last GET returns the expected headers. Regards. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org