Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6703

Eliminate window.eval from wicket-ajax-jquery

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 8.6.1
    • 9.0.0-M4
    • wicket-core
    • None

    Description

      It's impossible to configure wicket with strict CSP Policy without unsafe-eval and keep using AJAX, because most of AJAX responses contain evaluations and header contributions which cause window.eval to be called. 

      Window eval can be replaced with DOMEval with nonce approach. DOM eval is available in jQuery as globalEval.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. WICKET-6953 JavaScriptDeferHeaderResponse not working correctly for AJAX requests

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          depends upon

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6682 Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce

          • Major - Major loss of function.
          • Resolved
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6688 Add alternative RPC response to substitute the append java script in ajax response

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          links to

          Web Link GitHub Pull Request #384

          Activity

            People

              svenmeier Sven Meier
              Kondratev Andrew Kondratev
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: