[WICKET-6745] CSP: inline JS in server and client time response filters - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 9.0.0-M4
Fix Version/s: 9.0.0-M5
Component/s: wicket-core, wicket-examples
Labels:
None

Description

ServerAndClientTimeFilter, AjaxServerAndClientTimeFilter and ServerHostNameAndTimeFilter all render inline script tags. Because these tags are rendered in a non-standard way, the nonce is not added, violating the CSP.

These filters all put status information in window.defaultStatus. This property has been deprecated for years and support has been removed in most (if not all) browsers. My suggestion is to deprecate these classes in core and remove the one in examples. In the deprecated version, there is no need to fix the CSP violation.

Attachments

Issue Links

is a child of

WICKET-6687 Cleanup the code from attribute inline styles and attribute inline scripts

Resolved

Activity

People

Assignee:: Emond Papegaaij

Reporter:: Emond Papegaaij

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Feb/20 19:36

Updated:: 17/Feb/20 21:03

Resolved:: 17/Feb/20 21:03