...
The order of siblings' PriorityHeaderItems are now preserved.
Content Security Policy
Jira | ||||||||
---|---|---|---|---|---|---|---|---|
|
A strict content security policy (CSP) is now in effect in Wicket 9. This policy forbids any inline javascript and styling. This includes inline javascript event handlers. This CSP greatly enhances the security of a web application, but it can be difficult to make a large application compliant. See
Jira | ||||||||
---|---|---|---|---|---|---|---|---|
|
The documentation on the configuration of the CSP and guidelines for fixing violations can be found in the user guide: https://ci.apache.org/projects/wicket/guide/9.x/single.html#_content_security_policy_csp
While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:
getCsp().blocking().disable();
Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.
API Changes
Deprecate package org.apache.wicket.util.time from wicket-util
Jira | ||||||
---|---|---|---|---|---|---|
|
...