Hi,
>What about deprecating the current filters and writing a new one that
>just adds the Server-Timing header?
+1 to deprecate the current ones.
Sven
On 04.02.20 21:48, Emond Papegaaij wrote:
Hi Martin,
I like the idea of the 'Server-Timing' headers. I didn't know this feature yet.
However, these response filters also measure at the client side. The
time is recorded at the start of the head and again just after body. I
highly doubt this way of measuring gives a good indication of client
side performance. Chrome DevTools provides way more details in its
Performance tab. It's this client side time measurement that's
problematic. The filters render script tags directly into the
response, which makes it hard to add the nonce when needed for the
CSP.
What about deprecating the current filters and writing a new one that
just adds the Server-Timing header?
Emond
On Tue, Feb 4, 2020 at 9:28 PM Martin Grigorov <[email protected]> wrote:
On Tue, Feb 4, 2020 at 9:51 PM Martin Grigorov <[email protected]> wrote:
Hi,
"window.defaultStatus" could be easily replaced with console.log()
Those are usually used in DEV mode. I think it is fine to preserve them.
As a last resort we can render the value as a response header.
I remember Chromium has handling for some special response header and puts
its value in Dev Tools > Performance tab. I don't recall the name of the
header at the moment.
https://ma.ttias.be/server-timings-chrome-devtools/
On Tue, Feb 4, 2020 at 9:39 PM Emond Papegaaij <[email protected]>
wrote:
Hi all,
Do you agree on this one? I see no use for these classes anymore, as
support for window.defaultStatus has been dropped by all major
browsers. They also log server time, but we have other and better
solutions for that.
Best regards,
Emond
On Tue, Feb 4, 2020 at 8:37 PM Emond Papegaaij (Jira) <[email protected]>
wrote:
Emond Papegaaij created WICKET-6745:
---------------------------------------
Summary: CSP: inline JS in server and clienttime response
filters
Key: WICKET-6745
URL: https://issues.apache.org/jira/browse/WICKET-6745
Project: Wicket
Issue Type: Bug
Components: wicket-core, wicket-examples
Affects Versions: 9.0.0-M4
Reporter: Emond Papegaaij
{{ServerAndClientTimeFilter}}, {{AjaxServerAndClientTimeFilter}} and
{{ServerHostNameAndTimeFilter}} all render inline script tags. Because
these tags are rendered in a non-standard way, the nonce is not added,
violating the CSP.
These filters all put status information in {{window.defaultStatus}}.
This property has been deprecated for years and support has been removed in
most (if not all) browsers. My suggestion is to deprecate these classes in
core and remove the one in examples. In the deprecated version, there is no
need to fix the CSP violation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
