THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Changes
Important notes before you start
With version 9 Wicket introduced a content security policy (CSP) active by default which prevents inline JavaScript and CSS code from been executed. If you are not planning to make your web app CSP compliant you can disable this policy using a simple line og code during app initialization:
| Code Block | ||||
|---|---|---|---|---|
| ||||
public void init() {
getCspSettings().blocking().disabled();
} |
For more details see CSP paragraph .
Component placeholders and form hidden fields
...
| Code Block | ||
|---|---|---|
| ||
/* applied to *all* divs, including hidden */
div {
display: flex;
}
/* fix */
*[hidden] {
display: none;
} |
...
The order of siblings' PriorityHeaderItems are now preserved.
| Anchor | ||||
|---|---|---|---|---|
|
| Jira | ||||||||
|---|---|---|---|---|---|---|---|---|
|
A strict content security policy (CSP) is now in effect in Wicket 9. This policy forbids any inline javascript and styling. This includes inline javascript event handlers. This CSP greatly enhances the security of a web application, but it can be difficult to make a large application compliant. See
| Jira | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:
getCspgetCspSettings().blocking().disabledisabled();
Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.
...