Changes
Important notes before you start
With version 9 Wicket introduced a content security policy (CSP) active by default which prevents inline JavaScript and CSS code from been executed. If you are not planning to make your web app CSP compliant you can disable this policy using a simple line og code during app initialization:
Code Block |
---|
language | java |
---|
title | disable csp |
---|
|
public void init() {
getCspSettings().blocking().disabled();
} |
For more details see CSP paragraph .
Component placeholders and form hidden fields
...
Code Block |
---|
|
/* applied to *all* divs, including hidden */
div {
display: flex;
}
/* fix */
*[hidden] {
display: none;
} |
...
The order of siblings' PriorityHeaderItems are now preserved.
Content Security Policy Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6733 |
---|
|
A strict content security policy (CSP) is now in effect in Wicket 9. This policy forbids any inline javascript and styling. This includes inline javascript event handlers. This CSP greatly enhances the security of a web application, but it can be difficult to make a large application compliant. See
Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6687 |
---|
|
for the changes that were made in Wicket for this change.
...
While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:
getCspgetCspSettings().blocking().disabledisabled();
Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.
...