wicket-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tobias Haupt (Jira)" <j...@apache.org>
Subject [jira] [Commented] (WICKET-6703) Eliminate window.eval from wicket-ajax-jquery
Date Thu, 15 Jul 2021 13:12:00 GMT

    [ https://issues.apache.org/jira/browse/WICKET-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381332#comment-17381332
] 

Tobias Haupt commented on WICKET-6703:
--------------------------------------

[~svenmeier] Created WICKET-6902 for further clarification. The problem is, that we had to
fix our application every single time we updated to a major wicket version starting with wicket
1.4 because the order of javascripts in the response had been changed again.

> Eliminate window.eval from wicket-ajax-jquery
> ---------------------------------------------
>
>                 Key: WICKET-6703
>                 URL: https://issues.apache.org/jira/browse/WICKET-6703
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>    Affects Versions: 8.6.1
>            Reporter: Andrew Kondratev
>            Assignee: Sven Meier
>            Priority: Major
>             Fix For: 9.0.0-M4
>
>
> It's impossible to configure wicket with strict CSP Policy without unsafe-eval and keep
using AJAX, because most of AJAX responses contain evaluations and header contributions which
cause window.eval to be called. 
> Window eval can be replaced with DOMEval with nonce approach. DOM eval is available in
jQuery as globalEval.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message