svenmeier commented on pull request #439: URL: https://github.com/apache/wicket/pull/439#issuecomment-667327014
I'm all for this new feature, and the new implementation works fine as it seems. But the integration into the old CsrfPreventionRequestCycleListener is just hacky. The whole class is centered around the request origin, and it shows in the new method checkRequestFetchMetadata() - it checks a origin whitelist, when actually it has nothing to do with origins (note the method name) - it calls matchingOrigin, when actually it didn't check the origin - it takes action according to conflictingOriginAction, when actually it doesn't detect any origin conflicts There are many other inconsistencies that can easily spotted when reading the Javadoc - which haven't been updated btw. If this is supposed to be a hack to get this new protection into production ASAP, go ahead - probably no users will see this code anyway. But if we want to get this integrated nicely, I would suggest we create a new listener and deprecated the old one. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
