This is an automated email from the ASF dual-hosted git repository.
papegaaij pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push:
new 1619809 WICKET-6727: only render CSP on RenderPageRequestHandler
1619809 is described below
commit 16198099d8a965f17c85d2de7a6dce36b000ec26
Author: Emond Papegaaij <emond.papega...@topicus.nl>
AuthorDate: Fri Mar 13 09:44:36 2020 +0100
WICKET-6727: only render CSP on RenderPageRequestHandler
---
.../apache/wicket/csp/CSPRequestCycleListener.java | 8 +--
.../apache/wicket/examples/csp/NonceDemoPage.html | 1 +
.../apache/wicket/examples/csp/NonceDemoPage.java | 71 ++++++++++++----------
3 files changed, 45 insertions(+), 35 deletions(-)
diff --git
a/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
index f0acc52..3250174 100644
---
a/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
+++
b/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java
@@ -16,8 +16,8 @@
*/
package org.apache.wicket.csp;
-import org.apache.wicket.core.request.handler.BufferedResponseRequestHandler;
import org.apache.wicket.core.request.handler.IPageClassRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.IRequestHandlerDelegate;
import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -81,11 +81,11 @@ public class CSPRequestCycleListener implements
IRequestCycleListener
{
return
mustProtect(((IRequestHandlerDelegate)handler).getDelegateHandler());
}
- if (handler instanceof IPageClassRequestHandler)
+ if (handler instanceof RenderPageRequestHandler)
{
- return
settings.mustProtectPageRequest((IPageClassRequestHandler)handler);
+ return
settings.mustProtectPageRequest((RenderPageRequestHandler)handler);
}
- return !(handler instanceof BufferedResponseRequestHandler);
+ return false;
}
}
diff --git
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
index 32549a7..d22b416 100644
---
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
+++
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html
@@ -13,6 +13,7 @@
<p></p>
<button wicket:id="clickMe"><wicket:message key="clickMe" /></button>
<div class="click-me-text">Click a button above to replace this text</div>
+ <div wicket:id="blacktext">This text will stay black even though color:red
is added by the button above</div>
<div><wicket:message key="clickMeCount" /> <span
wicket:id="clickMeCount"></span></div>
<p></p>
<div wicket:id="delayedVisible" class="delayed-visible">This delayed shown
text should be green and bold</div>
diff --git
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
index dce8079..4fe81b0 100644
---
a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
+++
b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
@@ -1,21 +1,16 @@
/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Licensed to the Apache Software Foundation (ASF) under one or more
contributor license
+ * agreements. See the NOTICE file distributed with this work for additional
information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache
License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
License. You may obtain a
+ * copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless
required by applicable
+ * law or agreed to in writing, software distributed under the License is
distributed on an "AS IS"
+ * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied. See the License
+ * for the specific language governing permissions and limitations under the
License.
*/
package org.apache.wicket.examples.csp;
+import org.apache.wicket.AttributeModifier;
import org.apache.wicket.ajax.AjaxRequestTarget;
import org.apache.wicket.ajax.markup.html.AjaxLink;
import org.apache.wicket.examples.WicketExamplePage;
@@ -35,10 +30,13 @@ import org.apache.wicket.request.resource.ResourceReference;
*/
public class NonceDemoPage extends WicketExamplePage
{
-
- private static final ResourceReference JS_DELAYED = new
JavaScriptResourceReference(NonceDemoPage.class, "delayedVisible.js");
- private static final ResourceReference CSS_DELAYED = new
CssResourceReference(NonceDemoPage.class, "delayedVisible.css");
-
+
+ private static final ResourceReference JS_DELAYED =
+ new JavaScriptResourceReference(NonceDemoPage.class,
"delayedVisible.js");
+
+ private static final ResourceReference CSS_DELAYED =
+ new CssResourceReference(NonceDemoPage.class,
"delayedVisible.css");
+
private final IModel<Integer> clickMeCountModel = Model.of(0);
public NonceDemoPage()
@@ -50,13 +48,16 @@ public class NonceDemoPage extends WicketExamplePage
final Label clickMeCount = new Label("clickMeCount",
clickMeCountModel);
clickMeCount.setOutputMarkupId(true);
add(clickMeCount);
-
- final WebMarkupContainer delayedVisible = new
WebMarkupContainer("delayedVisible") {
+
+ final WebMarkupContainer delayedVisible = new
WebMarkupContainer("delayedVisible")
+ {
+ private static final long serialVersionUID = 1L;
+
@Override
public void renderHead(IHeaderResponse response)
{
super.renderHead(response);
-
+
response.render(JavaScriptHeaderItem.forReference(JS_DELAYED));
response.render(CssHeaderItem.forReference(CSS_DELAYED));
}
@@ -65,8 +66,14 @@ public class NonceDemoPage extends WicketExamplePage
delayedVisible.setVisible(false);
add(delayedVisible);
+ WebMarkupContainer blacktext = new
WebMarkupContainer("blacktext");
+ blacktext.setOutputMarkupId(true);
+ add(blacktext);
+
add(new AjaxLink<String>("clickMe")
{
+ private static final long serialVersionUID = 1L;
+
@Override
public void onClick(AjaxRequestTarget target)
{
@@ -75,11 +82,15 @@ public class NonceDemoPage extends WicketExamplePage
// target.add (works even without unsafe-eval)
target.add(clickMeCount);
- // append javascript (won't work without
unsafe-eval)
-
target.appendJavaScript("document.querySelector(\".click-me-text\").innerHTML =
\"replaced\";");
-
+ // append javascript (works even without
unsafe-eval)
+ target.appendJavaScript(
+
"document.querySelector(\".click-me-text\").innerHTML = \"replaced\";");
+
delayedVisible.setVisible(true);
target.add(delayedVisible);
+
+
blacktext.add(AttributeModifier.replace("style", "color: red"));
+ target.add(blacktext);
}
}.setOutputMarkupId(true));
}
@@ -90,14 +101,12 @@ public class NonceDemoPage extends WicketExamplePage
super.renderHead(response);
// Add inline script with nonce
response.render(JavaScriptHeaderItem.forScript(
-
"$(function(){$(\".test-nonce-script\").html(\"Text injected by script with
nonce: success\");});",
- "test-nonce-script"
- ));
+ "$(function(){$(\".test-nonce-script\").html(\"Text
injected by script with nonce: success\");});",
+ "test-nonce-script"));
// Add inline css with nonce
- response.render(CssHeaderItem.forCSS(
- ".injected-style--with-nonce{color: green;
font-weight: bold;}",
- "injected-style-with-nonce")
- );
+ response.render(
+
CssHeaderItem.forCSS(".injected-style--with-nonce{color: green; font-weight:
bold;}",
+ "injected-style-with-nonce"));
}
@Override
