Versions Compared

Old Version 20

changes.mady.by.user Sven Meier

Saved on

compared with

New Version 21

changes.mady.by.user Emond Papegaaij

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added CSP

...

The order of siblings' PriorityHeaderItems are now preserved.

Content Security Policy  
Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyWICKET-6733

A strict content security policy (CSP) is now in effect in Wicket 9. This policy forbids any inline javascript and styling. This includes inline javascript event handlers. This CSP greatly enhances the security of a web application, but it can be difficult to make a large application compliant. See 

Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyWICKET-6687
 for the changes that were made in Wicket for this change.

The documentation on the configuration of the CSP and guidelines for fixing violations can be found in the user guide: https://ci.apache.org/projects/wicket/guide/9.x/single.html#_content_security_policy_csp

While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:

getCsp().blocking().disable();

Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.

API Changes

Deprecate package org.apache.wicket.util.time from wicket-util
Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyWICKET-6662

...