[
https://issues.apache.org/jira/browse/WICKET-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939162#comment-16939162
]
Sven Meier commented on WICKET-6703:
------------------------------------
[~Kondratev] Good to have this as a separate issue now.
Some question (not to Andrew alone)
* is this really more secure? I fail to see how adding dynamic JS to the
header is different from evaluating it directly.
* or is this change at least valuable for Wicket's security advertisement?
* any downsides? do we accept the performance impact? ([~Kondratev] could you
add your findings here again?)
* how urgent is this? do we want to add this to Wicket 9?
> Eliminate window.eval from wicket-ajax-jquery
> ---------------------------------------------
>
> Key: WICKET-6703
> URL: https://issues.apache.org/jira/browse/WICKET-6703
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Reporter: Andrew Kondratev
> Priority: Major
>
> It's impossible to configure wicket with strict CSP Policy without
> unsafe-eval and keep using AJAX, because most of AJAX responses contain
> evaluations and header contributions which cause window.eval to be called.
> Window eval can be replaced with DOMEval with nonce approach. DOM eval is
> available in jQuery as globalEval.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
