[WICKET-7028] CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 9.12.0
Fix Version/s: 10.0.0-M1, 9.13.0
Component/s: None
Labels:
None

Description

We're busy with a project to replace every page in our application with a newer version. We don't want to break existing bookmarks, but we also don't want to have untested new pages in production. As a solution, all our new pages are only accessible via a feature toggle.

A simplified version looks like:

SimplePage.html

<!DOCTYPE html>
<html xmlns:wicket="http://wicket.apache.org">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title></title>
</head>
<body>
    <div wicket:id="label"></div>
</body>
</html>

SimplePage.java

public class SimplePage extends WebPage {

    public SimplePage() {
        super();
    }
}

OldPage.java

public class OldPage extends SimplePage {

    public OldPage() {

    }

    @Override
    protected void onInitialize() {
        super.onInitialize();
        add(new Label("label", "OldPage"));
    }
}

NewPage.java

public class NewPage extends SimplePage {

    public NewPage() {
        if (featureFlagDisabled()) {
            // new page is not ready yet, show users the old page
            throw new RestartResponseException(
                    new PageProvider(OldPage.class),
                    RedirectPolicy.NEVER_REDIRECT
                    );
        }
    }

    private boolean featureFlagDisabled() {
        return true;
    }

    @Override
    protected void onInitialize() {
        super.onInitialize();
        add(new Label("label", "NewPage"));
    }
}

And in our application class:

        mountPage("page1", NewPage.class);
        mountPage("page2", OldPage.class);
            getCspSettings()
                .blocking();

The url 'page1' is known to our users. The url 'page2' is not known to our users. Besides ending up with outdated bookmarks, there's no harm if they would access it directly.

Regardless of which url you open, the RestartResponseException ensures the reponse in the browser is always 'OldPage'.

However, the CSP is not included if wicket performs the internal redirect. If I open the url 'page2' directly, the result does include a CSP. See attached screenshots.

A workaround for this issue is a client side redirect; but then the users would see the url change.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

withoutcsp.png
16/Feb/23 07:26
47 kB
Youri de Boer
withcsp.png
16/Feb/23 07:26
79 kB
Youri de Boer
image-2023-04-05-14-35-49-714.png
05/Apr/23 11:35
130 kB
Ernesto Reinaldo Barreiro
image-2023-04-05-13-21-01-849.png
05/Apr/23 10:21
137 kB
Ernesto Reinaldo Barreiro
image-2023-04-05-13-19-40-207.png
05/Apr/23 10:19
39 kB
Ernesto Reinaldo Barreiro
image-2023-04-05-13-13-46-451.png
05/Apr/23 10:13
119 kB
Ernesto Reinaldo Barreiro
image-2023-04-05-10-58-33-645.png
05/Apr/23 07:58
58 kB
Ernesto Reinaldo Barreiro
examplecsp.zip
20/Feb/23 09:29
30 kB
Youri de Boer

Issue Links

is related to

WICKET-7107 CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT

Open

links to

GitHub Pull Request #568

GitHub Pull Request #569

Activity

People

Assignee:: Ernesto Reinaldo Barreiro

Reporter:: Youri de Boer

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 16/Feb/23 07:44

Updated:: 25/Apr/24 16:39

Resolved:: 06/Apr/23 07:45