[jira] [Commented] (WICKET-7107) CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT

Thu, 25 Apr 2024 13:06:13 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840952#comment-17840952
 ] 

ASF GitHub Bot commented on WICKET-7107:
----------------------------------------

dr0ps commented on PR #846:
URL: https://github.com/apache/wicket/pull/846#issuecomment-2078081010

   ResetResponseException$ResponseResettingDecorator#respond(RequestCycle) 
calls reset() on the response object. The current implementation in 
BaseWicketTester$WicketTesterServletWebResponse does nothing which is not 
representative of the implementation in BufferedWebResponse or 
ServletWebResponse. I therefore added the clearing of cookies and headers which 
makes the tests fail.
   As the ResetResponseException then continues to call 
IRequestHandler#respond(RequestCycle) the onRequestHandlerResolved and 
onRequestHandlerExecuted in CSPRequestCycleListener will not be called. 
Therefore the CSP values are missing.




> CSP Header not rendered when using RedirectPolicy.AUTO_REDIRECT
> ---------------------------------------------------------------
>
>                 Key: WICKET-7107
>                 URL: https://issues.apache.org/jira/browse/WICKET-7107
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 9.16.0
>            Reporter: Dirk Forchel
>            Priority: Major
>         Attachments: myproject.zip
>
>
> If we redirect to another Web Page and use the RedirectPolicy.AUTO_REDIRECT, 
> this results in the CSP directives being missing in the head of the result 
> page.
> I've attached a quickstart application to show the error. Just browse to 
> [http://localhost:8080/redirect|http://localhost:8080/redirect.] and use the 
> browser's developer console of your choice. The CSP is not included if Wicket 
> performs a RestartResponseException with a WebPage instance like this
> {code:java}
> throw new RestartResponseException(new HomePage(new PageParameters()));{code}
> If you open the home page directly 
> [http://localhost:8080/|http://localhost:8080/redirect.] the response does 
> include a CSP.
> There is an additional test for the CSPRequestCycleListener with different 
> page classes as test parameters.
> Relates to https://issues.apache.org/jira/browse/WICKET-7028



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to