Emond Papegaaij created WICKET-6745:
---------------------------------------
Summary: CSP: inline JS in server and clienttime response filters
Key: WICKET-6745
URL: https://issues.apache.org/jira/browse/WICKET-6745
Project: Wicket
Issue Type: Bug
Components: wicket-core, wicket-examples
Affects Versions: 9.0.0-M4
Reporter: Emond Papegaaij
{{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
{{ServerHostNameAndTimeFilter}} all render inline script tags. Because these
tags are rendered in a non-standard way, the nonce is not added, violating the
CSP.
These filters all put status information in {{window.defaultStatus}}. This
property has been deprecated for years and support has been removed in most (if
not all) browsers. My suggestion is to deprecate these classes in core and
remove the one in examples. In the deprecated version, there is no need to fix
the CSP violation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
