This is an automated email from the ASF dual-hosted git repository. papegaaij pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push: new 1619809 WICKET-6727: only render CSP on RenderPageRequestHandler 1619809 is described below commit 16198099d8a965f17c85d2de7a6dce36b000ec26 Author: Emond Papegaaij <emond.papega...@topicus.nl> AuthorDate: Fri Mar 13 09:44:36 2020 +0100 WICKET-6727: only render CSP on RenderPageRequestHandler --- .../apache/wicket/csp/CSPRequestCycleListener.java | 8 +-- .../apache/wicket/examples/csp/NonceDemoPage.html | 1 + .../apache/wicket/examples/csp/NonceDemoPage.java | 71 ++++++++++++---------- 3 files changed, 45 insertions(+), 35 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java index f0acc52..3250174 100644 --- a/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/csp/CSPRequestCycleListener.java @@ -16,8 +16,8 @@ */ package org.apache.wicket.csp; -import org.apache.wicket.core.request.handler.BufferedResponseRequestHandler; import org.apache.wicket.core.request.handler.IPageClassRequestHandler; +import org.apache.wicket.core.request.handler.RenderPageRequestHandler; import org.apache.wicket.request.IRequestHandler; import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -81,11 +81,11 @@ public class CSPRequestCycleListener implements IRequestCycleListener { return mustProtect(((IRequestHandlerDelegate)handler).getDelegateHandler()); } - if (handler instanceof IPageClassRequestHandler) + if (handler instanceof RenderPageRequestHandler) { - return settings.mustProtectPageRequest((IPageClassRequestHandler)handler); + return settings.mustProtectPageRequest((RenderPageRequestHandler)handler); } - return !(handler instanceof BufferedResponseRequestHandler); + return false; } } diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html index 32549a7..d22b416 100644 --- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html +++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.html @@ -13,6 +13,7 @@ <p></p> <button wicket:id="clickMe"><wicket:message key="clickMe" /></button> <div class="click-me-text">Click a button above to replace this text</div> + <div wicket:id="blacktext">This text will stay black even though color:red is added by the button above</div> <div><wicket:message key="clickMeCount" /> <span wicket:id="clickMeCount"></span></div> <p></p> <div wicket:id="delayedVisible" class="delayed-visible">This delayed shown text should be green and bold</div> diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java index dce8079..4fe81b0 100644 --- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java +++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java @@ -1,21 +1,16 @@ /* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable + * law or agreed to in writing, software distributed under the License is distributed on an "AS IS" + * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License + * for the specific language governing permissions and limitations under the License. */ package org.apache.wicket.examples.csp; +import org.apache.wicket.AttributeModifier; import org.apache.wicket.ajax.AjaxRequestTarget; import org.apache.wicket.ajax.markup.html.AjaxLink; import org.apache.wicket.examples.WicketExamplePage; @@ -35,10 +30,13 @@ import org.apache.wicket.request.resource.ResourceReference; */ public class NonceDemoPage extends WicketExamplePage { - - private static final ResourceReference JS_DELAYED = new JavaScriptResourceReference(NonceDemoPage.class, "delayedVisible.js"); - private static final ResourceReference CSS_DELAYED = new CssResourceReference(NonceDemoPage.class, "delayedVisible.css"); - + + private static final ResourceReference JS_DELAYED = + new JavaScriptResourceReference(NonceDemoPage.class, "delayedVisible.js"); + + private static final ResourceReference CSS_DELAYED = + new CssResourceReference(NonceDemoPage.class, "delayedVisible.css"); + private final IModel<Integer> clickMeCountModel = Model.of(0); public NonceDemoPage() @@ -50,13 +48,16 @@ public class NonceDemoPage extends WicketExamplePage final Label clickMeCount = new Label("clickMeCount", clickMeCountModel); clickMeCount.setOutputMarkupId(true); add(clickMeCount); - - final WebMarkupContainer delayedVisible = new WebMarkupContainer("delayedVisible") { + + final WebMarkupContainer delayedVisible = new WebMarkupContainer("delayedVisible") + { + private static final long serialVersionUID = 1L; + @Override public void renderHead(IHeaderResponse response) { super.renderHead(response); - + response.render(JavaScriptHeaderItem.forReference(JS_DELAYED)); response.render(CssHeaderItem.forReference(CSS_DELAYED)); } @@ -65,8 +66,14 @@ public class NonceDemoPage extends WicketExamplePage delayedVisible.setVisible(false); add(delayedVisible); + WebMarkupContainer blacktext = new WebMarkupContainer("blacktext"); + blacktext.setOutputMarkupId(true); + add(blacktext); + add(new AjaxLink<String>("clickMe") { + private static final long serialVersionUID = 1L; + @Override public void onClick(AjaxRequestTarget target) { @@ -75,11 +82,15 @@ public class NonceDemoPage extends WicketExamplePage // target.add (works even without unsafe-eval) target.add(clickMeCount); - // append javascript (won't work without unsafe-eval) - target.appendJavaScript("document.querySelector(\".click-me-text\").innerHTML = \"replaced\";"); - + // append javascript (works even without unsafe-eval) + target.appendJavaScript( + "document.querySelector(\".click-me-text\").innerHTML = \"replaced\";"); + delayedVisible.setVisible(true); target.add(delayedVisible); + + blacktext.add(AttributeModifier.replace("style", "color: red")); + target.add(blacktext); } }.setOutputMarkupId(true)); } @@ -90,14 +101,12 @@ public class NonceDemoPage extends WicketExamplePage super.renderHead(response); // Add inline script with nonce response.render(JavaScriptHeaderItem.forScript( - "$(function(){$(\".test-nonce-script\").html(\"Text injected by script with nonce: success\");});", - "test-nonce-script" - )); + "$(function(){$(\".test-nonce-script\").html(\"Text injected by script with nonce: success\");});", + "test-nonce-script")); // Add inline css with nonce - response.render(CssHeaderItem.forCSS( - ".injected-style--with-nonce{color: green; font-weight: bold;}", - "injected-style-with-nonce") - ); + response.render( + CssHeaderItem.forCSS(".injected-style--with-nonce{color: green; font-weight: bold;}", + "injected-style-with-nonce")); } @Override