WICKET-7149: Add Integrity and CrossOrigin values to ResourceReference and related code #1102
+297
−5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…d using values for creating JS/CSS reference header items Added two new variables to the ResourceReference class. These new values allow for better JavaScriptReferenceHeaderItem and CssReferenceHeaderItem creation, allowing those classes to access the resource reference identity/CrossOrigin values if they are not already defined at the header item level. Also fixed a bug with the AbstractCssReferenceHeaderItem class where it was directly accessing the identity and crossOrigin values instead of it going through the accessor methods like it should.
martin-g
approved these changes
Feb 14, 2025
bitstorm
approved these changes
Feb 17, 2025
Added unit tests for ResourceReference, JavaScriptReferenceHeaderItem and CssReferenceHeaderItem classes.
|
Added unit tests for related changes.
From: Andrea Del Bene ***@***.***>
Sent: Monday, February 17, 2025 9:42 AM
To: apache/wicket ***@***.***>
Cc: Michael Pritt ***@***.***>; Author ***@***.***>
Subject: [EXTERNAL] Re: [apache/wicket] Adding Integrity and CrossOrigin values to ResourceReference and related code (PR #1102)
BE CAREFUL:
This email originated from outside the organization. Do not click links, open attachments, or enter user credentials, unless you recognize the sender and know the content is safe.
BE CAREFUL:
@bitstorm approved this pull request.
—
Reply to this email directly, view it on GitHub<#1102 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AL5EAOZGSZBMAA3EXIAQGUD2QIGNTAVCNFSM6AAAAABXDKOJACVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMMRRGU2DEMBUHE>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>
martin-g
changed the title
|
Thank you, @mpritt ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Synopsis
Added two new variables to the ResourceReference class. Added code to use these values in both the JavaScriptReferenceHeaderItem and CssReferenceHeaderItem classes. Also fixed a bug with the AbstractCssReferenceHeaderItem class where it was directly accessing the identity and crossOrigin values directly instead of going through accessor methods.
In-depth Detail:
It is easy to create the integrity and cross origin values needed when the we have the control over the creation of the JavaScriptHeaderItem or CssReferenceHeaderItem. It becomes much more difficult when there are resources that are created and then stored in wicket framework classes (whether resource references are framework or user created), because these resources are used later by the framework when it does the actual creation of the header items (i.e. like JavaScriptHeaderItem.forReference()).
Supporting scenario...try setting the integrity hash for the "wicket-ajax-jquery.js" file which is referenced from the wicket-core-10.1.0.jar. This resource is created initially through the WicketAjaxJQueryResourceReference class and used in the JavaScriptLibrarySettings class. The call getWicketAjaxReference() inside the JavaScriptLibrarySettings is used by the framework in various places, and those places create the actual JavaScriptReferenceHeaderItem (see OnDomReadyHeaderItem.getDependencies() as an example). While it is possible to extend a few framework classes to overwrite the default behavior and create the JavaScriptReferenceHeaderItem directly and add the desired hash and cross-origin values, that method is not a desirable or maintainable.
By adding integrity and cross-origin variables to the definition of a ResourceReference class, those values can then be used in the rendering of the JavaScriptReferenceHeaderItem through overriding the getIntegrity() and getCrossOrigin() functions. If the header item's integrity value was not defined (i.e. null) then use the value defined from the ResourceReference (the same goes for the cross origin value).
It was also noticed that the AbstractCssReferenceHeaderItem's internalRenderCSSReference() function was not correctly referencing the integrity and cross origin values by directly accessing the values rather than using the accessor methods. Changes were made to this class to correctly use the accessor methods.