Hi,
I was recently reviewing one of the PR (#7154 - “Wicket 9 upgrade”). This looks like its brought in some changes WRT content-security-policy - which has some implications for wicket-with-javascript.
I loaded the GS homepage, and I got a content-security-policy issue about some javascript.
Tracking it down, it was single line of javascript
In order to fix this, I removed that , and modified GeoserverBasePage#renderHeader to include:
response.render(OnDomReadyHeaderItem.forScript(“$(‘input, textarea’).placeholder();”));
Wicket will imbed that command in a dom-ready event. Something like this:
CSP adds the CSP header with a per-request nonce=“…” that will allow this code block to execute (the CSP header nonce and the script nonce much match).
The alternative for something like this would be to create a tiny JS file for the page that would have the $(‘input, textarea’).placeholder(); code in it. This could be added, via wicket, in the same manner.
A second alternative is adding a hash to the tag - but I’m sure if I like that from a maintenance/security perspective.
Is there any guidance for this?
Also, this would mean removing any onClick=
or onChange=
handlers in the HTML to be attached by a JS command. Something like this:
$("#someElement").on("change", function(event) {
someFunction(this);
} );
I’ve noticed that the Demo Requests page (a complex js-and-wicket page) isn’t working anymore. I expect this is due to some click/change handlers. I will look into that tomorrow, but I didn’t want to spend a bunch of time “doing the wrong thing” so I am asking here.
Any guidance on how to proceed?
Cheers,
Dave