...
Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.
Flush and detach (and asynchronous page serialization)
Since Wicket 8.x pages were serialized asynchronously by default
Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6177 |
---|
|
, i.e. requests are processed, detached and flushed to the client without waiting for the serialization of the touched pages. This feature was introduced to reduce the response time for requests to Wicket pages.However this resulted in possible race conditions, when consecutive requests hit an identical page instance, which is still under process of serialization from a prior request.
Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6702 |
---|
|
Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6831 |
---|
|
presents a better solution to this problem: Pages are always serialized synchronously now (storing the serialized data in a persistent storage is still done asynchronously though). But the request is now flushed to the client before detaching of the RequestCycle - besides other clean-up of the request this includes serialization of all touched pages IRequestCycleListener#onEndRequest(), RequestCycle#onEndRequest() and Session#endRequest() are called before flush, thus allowing code to create Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6847 |
---|
|
or invalidate a session Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6848 |
---|
|
.Note: This improvement was backported to WIcket 8.11.0.
API Changes
Deprecate package org.apache.wicket.util.time from wicket-util
Jira |
---|
server | ASF JIRA |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6662 |
---|
|
...
With the deprecated API you were required to keep a ResourceAggregator around. Its usage is not recommended, since it prevents usage of CSP (see above):
Code Block |
---|
language | java |
---|
title | Wicket 8.x |
---|
|
// deprecated API
setHeaderResponseDecorator(response -> new ResourceAggregator(new CustomResponse())); |
...
Several workarounds for older browsers were removed. The special JavaScript event "inputchange" for IE is no longer supported and should be replaced with the standard "input change" instead.
The Ajax debug-window was removed, users should use their favorite browser's JS console instead.
AjaxFormChoiceComponentUpdatingBehavior and FormComponentUpdatingBehavior "change" event
Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | WICKET-6718 |
---|
|
...