Hi all, Do you agree on this one? I see no use for these classes anymore, as support for window.defaultStatus has been dropped by all major browsers. They also log server time, but we have other and better solutions for that.
Best regards, Emond On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <[email protected]> wrote: > > Emond Papegaaij created WICKET-6745: > --------------------------------------- > > Summary: CSP: inline JS in server and clienttime response filters > Key: WICKET-6745 > URL: https://issues.apache.org/jira/browse/WICKET-6745 > Project: Wicket > Issue Type: Bug > Components: wicket-core, wicket-examples > Affects Versions: 9.0.0-M4 > Reporter: Emond Papegaaij > > > {{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and > {{ServerHostNameAndTimeFilter}} all render inline script tags. Because these > tags are rendered in a non-standard way, the nonce is not added, violating > the CSP. > > These filters all put status information in {{window.defaultStatus}}. This > property has been deprecated for years and support has been removed in most > (if not all) browsers. My suggestion is to deprecate these classes in core > and remove the one in examples. In the deprecated version, there is no need > to fix the CSP violation. > > > > -- > This message was sent by Atlassian Jira > (v8.3.4#803005)
