[ 
https://issues.apache.org/jira/browse/WICKET-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ernesto Reinaldo Barreiro updated WICKET-7028:
----------------------------------------------
    Attachment: image-2023-04-05-13-13-46-451.png

> CSP header not rendered when using RedirectPolicy.NEVER_REDIRECT
> ----------------------------------------------------------------
>
>                 Key: WICKET-7028
>                 URL: https://issues.apache.org/jira/browse/WICKET-7028
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 9.12.0
>            Reporter: Youri de Boer
>            Priority: Critical
>             Fix For: 10.0.0, 9.13.0
>
>         Attachments: examplecsp.zip, image-2023-04-05-10-58-33-645.png, 
> image-2023-04-05-13-13-46-451.png, withcsp.png, withoutcsp.png
>
>
> We're busy with a project to replace every page in our application with a 
> newer version. We don't want to break existing bookmarks, but we also don't 
> want to have untested new pages in production.  As a solution, all our new 
> pages are only accessible via a feature toggle.
> A simplified version looks like:
> SimplePage.html
> {code}
> <!DOCTYPE html>
> <html xmlns:wicket="http://wicket.apache.org";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title></title>
> </head>
> <body>
>     <div wicket:id="label"></div>
> </body>
> </html>
> {code}
>  SimplePage.java
> {code}
> public class SimplePage extends WebPage {
>     public SimplePage() {
>         super();
>     }
> }
> {code}
>  
> OldPage.java
> {code}
> public class OldPage extends SimplePage {
>     public OldPage() {
>     }
>     @Override
>     protected void onInitialize() {
>         super.onInitialize();
>         add(new Label("label", "OldPage"));
>     }
> }
> {code}
>  
> NewPage.java
> {code}
> public class NewPage extends SimplePage {
>     public NewPage() {
>         if (featureFlagDisabled()) {
>             // new page is not ready yet, show users the old page
>             throw new RestartResponseException(
>                     new PageProvider(OldPage.class),
>                     RedirectPolicy.NEVER_REDIRECT
>                     );
>         }
>     }
>     private boolean featureFlagDisabled() {
>         return true;
>     }
>     @Override
>     protected void onInitialize() {
>         super.onInitialize();
>         add(new Label("label", "NewPage"));
>     }
> }
> {code}
>  
> And in our application class:
> {code}
>         mountPage("page1", NewPage.class);
>         mountPage("page2", OldPage.class);
>             getCspSettings()
>                 .blocking();
> {code}
> The url 'page1' is known to our users. The url 'page2' is not known to our 
> users. Besides ending up with outdated bookmarks, there's no harm if they 
> would access it directly.
> Regardless of which url you open, the RestartResponseException ensures the 
> reponse in the browser is always 'OldPage'.
> However, the CSP is not included if wicket performs the internal redirect. If 
> I open the url 'page2' directly, the result does include a CSP. See attached 
> screenshots.
> A workaround for this issue is a client side redirect; but then the users 
> would see the url change.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to