java.lang.Object

org.apache.wicket.protocol.http.FetchMetadataResourceIsolationPolicy

All Implemented Interfaces:: IResourceIsolationPolicy

public class FetchMetadataResourceIsolationPolicy extends Object implements IResourceIsolationPolicy

Default resource isolation policy used in ResourceIsolationRequestCycleListener, based on https://web.dev/fetch-metadata/.

Author:

Santiago Diaz - saldiaz@google.com, Ecenaz Jen Ozmen - ecenazo@google.com

See Also:

https://web.dev/fetch-metadata/

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
IResourceIsolationPolicy.ResourceIsolationOutcome
Field Summary

Fields

Modifier and Type

Field

Description

static final String

CORS

static final String

CROSS_SITE

static final String

DEST_DOCUMENT

static final String

DEST_EMBED

static final String

DEST_IMAGE

static final String

DEST_OBJECT

static final String

DEST_SCRIPT

static final String

MODE_NAVIGATE

static final String

MODE_NO_CORS

static final String

NONE

static final String

SAME_ORIGIN

static final String

SAME_SITE

static final String

SEC_FETCH_DEST_HEADER

static final String

SEC_FETCH_MODE_HEADER

static final String

SEC_FETCH_SITE_HEADER

static final String

VARY_HEADER
Constructor Summary

Constructors

Constructor

Description

FetchMetadataResourceIsolationPolicy()
Method Summary

Modifier and Type

Method

Description

IResourceIsolationPolicy.ResourceIsolationOutcome

isRequestAllowed(jakarta.servlet.http.HttpServletRequest request, IRequestablePage targetPage)

Is the given request allowed.

void

setHeaders(jakarta.servlet.http.HttpServletResponse response)

Set vary headers to avoid caching responses processed by Fetch Metadata.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details
- SEC_FETCH_SITE_HEADER
  
  public static final String SEC_FETCH_SITE_HEADER
  See Also:
  
  Constant Field Values
- SEC_FETCH_MODE_HEADER
  
  public static final String SEC_FETCH_MODE_HEADER
  See Also:
  
  Constant Field Values
- SEC_FETCH_DEST_HEADER
  
  public static final String SEC_FETCH_DEST_HEADER
  See Also:
  
  Constant Field Values
- SAME_ORIGIN
  
  public static final String SAME_ORIGIN
  See Also:
  
  Constant Field Values
- SAME_SITE
  
  public static final String SAME_SITE
  See Also:
  
  Constant Field Values
- NONE
  
  public static final String NONE
  See Also:
  
  Constant Field Values
- MODE_NAVIGATE
  
  public static final String MODE_NAVIGATE
  See Also:
  
  Constant Field Values
- MODE_NO_CORS
  
  public static final String MODE_NO_CORS
  See Also:
  
  Constant Field Values
- DEST_OBJECT
  
  public static final String DEST_OBJECT
  See Also:
  
  Constant Field Values
- DEST_EMBED
  
  public static final String DEST_EMBED
  See Also:
  
  Constant Field Values
- CROSS_SITE
  
  public static final String CROSS_SITE
  See Also:
  
  Constant Field Values
- CORS
  
  public static final String CORS
  See Also:
  
  Constant Field Values
- DEST_DOCUMENT
  
  public static final String DEST_DOCUMENT
  See Also:
  
  Constant Field Values
- DEST_SCRIPT
  
  public static final String DEST_SCRIPT
  See Also:
  
  Constant Field Values
- DEST_IMAGE
  
  public static final String DEST_IMAGE
  See Also:
  
  Constant Field Values
- VARY_HEADER
  
  public static final String VARY_HEADER
  See Also:
  
  Constant Field Values
Constructor Details
- FetchMetadataResourceIsolationPolicy
  
  public FetchMetadataResourceIsolationPolicy()
Method Details
- isRequestAllowed
  
  public IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed(jakarta.servlet.http.HttpServletRequest request, IRequestablePage targetPage)
  
  Description copied from interface: IResourceIsolationPolicy
  
  Is the given request allowed.
  
  Specified by:
  
  isRequestAllowed in interface IResourceIsolationPolicy
  
  Parameters:
  
  request - request
  
  targetPage - targeted page
  
  Returns:
  
  outcome, must not be null
- setHeaders
  
  public void setHeaders(jakarta.servlet.http.HttpServletResponse response)
  
  Set vary headers to avoid caching responses processed by Fetch Metadata.
  Caching these responses may return 403 responses to legitimate requests defeat the protection.
  
  Specified by:
  
  setHeaders in interface IResourceIsolationPolicy

Class FetchMetadataResourceIsolationPolicy

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Details

SEC_FETCH_SITE_HEADER

SEC_FETCH_MODE_HEADER

SEC_FETCH_DEST_HEADER

SAME_ORIGIN

SAME_SITE

NONE

MODE_NAVIGATE

MODE_NO_CORS

DEST_OBJECT

DEST_EMBED

CROSS_SITE

CORS

DEST_DOCUMENT

DEST_SCRIPT

DEST_IMAGE

VARY_HEADER

Constructor Details

FetchMetadataResourceIsolationPolicy

Method Details

isRequestAllowed

setHeaders