[ https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ernesto Reinaldo Barreiro updated WICKET-7028: ---------------------------------------------- Attachment: image-2023-04-05-13-13-46-451.png > CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT > ---------------------------------------------------------------- > > Key: WICKET-7028 > URL: https://issues.apache.org/jira/browse/WICKET-7028 > Project: Wicket > Issue Type: Bug > Affects Versions: 9.12.0 > Reporter: Youri de Boer > Priority: Critical > Fix For: 10.0.0, 9.13.0 > > Attachments: examplecsp.zip, image-2023-04-05-10-58-33-645.png, > image-2023-04-05-13-13-46-451.png, withcsp.png, withoutcsp.png > > > We're busy with a project to replace every page in our application with a > newer version. We don't want to break existing bookmarks, but we also don't > want to have untested new pages in production. As a solution, all our new > pages are only accessible via a feature toggle. > A simplified version looks like: > SimplePage.html > {code} > <!DOCTYPE html> > <html xmlns:wicket="http://wicket.apache.org"> > <head> > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> > <title></title> > </head> > <body> > <div wicket:id="label"></div> > </body> > </html> > {code} > SimplePage.java > {code} > public class SimplePage extends WebPage { > public SimplePage() { > super(); > } > } > {code} > > OldPage.java > {code} > public class OldPage extends SimplePage { > public OldPage() { > } > @Override > protected void onInitialize() { > super.onInitialize(); > add(new Label("label", "OldPage")); > } > } > {code} > > NewPage.java > {code} > public class NewPage extends SimplePage { > public NewPage() { > if (featureFlagDisabled()) { > // new page is not ready yet, show users the old page > throw new RestartResponseException( > new PageProvider(OldPage.class), > RedirectPolicy.NEVER_REDIRECT > ); > } > } > private boolean featureFlagDisabled() { > return true; > } > @Override > protected void onInitialize() { > super.onInitialize(); > add(new Label("label", "NewPage")); > } > } > {code} > > And in our application class: > {code} > mountPage("page1", NewPage.class); > mountPage("page2", OldPage.class); > getCspSettings() > .blocking(); > {code} > The url 'page1' is known to our users. The url 'page2' is not known to our > users. Besides ending up with outdated bookmarks, there's no harm if they > would access it directly. > Regardless of which url you open, the RestartResponseException ensures the > reponse in the browser is always 'OldPage'. > However, the CSP is not included if wicket performs the internal redirect. If > I open the url 'page2' directly, the result does include a CSP. See attached > screenshots. > A workaround for this issue is a client side redirect; but then the users > would see the url change. -- This message was sent by Atlassian Jira (v8.20.10#820010)