From c4953d686f4761a4ba31d4cf7e92c090055dc031 Mon Sep 17 00:00:00 2001
From: Andrew Kondratev <andruhon@gmail.com>
Date: Fri, 27 Sep 2019 15:40:33 +1200
Subject: [PATCH 1/4] WICKET-6703 replace eval with jQuery.globalEval; add
 suspend/notify

---
 .../wicket/ajax/AjaxRequestHandler.java       |   6 +
 .../wicket/ajax/res/js/wicket-ajax-jquery.js  | 177 +++++++++---------
 .../handler/IPartialPageRequestHandler.java   |   9 +
 .../head/filter/CspNonceHeaderResponse.java   |   5 +-
 .../apache/wicket/page/PartialPageUpdate.java |  32 +++-
 .../wicket/page/XmlPartialPageUpdate.java     |  10 +
 .../head/filter/CspNoncePageExpected.html     |   2 +-
 .../examples/ajax/builtin/EffectsPage.html    |  29 ++-
 .../examples/ajax/builtin/EffectsPage.java    |  49 ++++-
 .../examples/ajax/builtin/EffectsPage.js      |  26 +++
 .../wicket/examples/csp/CspApplication.java   |  41 +++-
 .../wicket/examples/csp/NonceDemoPage.java    |   4 +-
 .../ws/api/WebSocketRequestHandler.java       |   6 +
 13 files changed, 291 insertions(+), 105 deletions(-)
 create mode 100644 wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js

diff --git a/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java b/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java
index 1dad0487e2e..63cb4a0bfec 100644
--- a/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java
+++ b/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java
@@ -266,6 +266,12 @@ public final void appendJavaScript(CharSequence javascript)
 		update.appendJavaScript(javascript);
 	}
 
+	@Override
+	public void addMeta(CharSequence name, CharSequence value)
+	{
+		update.addMeta(name, value);
+	}
+
 	/**
 	 * @see org.apache.wicket.core.request.handler.IPageRequestHandler#detach(org.apache.wicket.request.IRequestCycle)
 	 */
diff --git a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
index 70dd69dca7d..2cd28edd3fb 100644
--- a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
+++ b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
@@ -187,7 +187,7 @@
 	 * Logging functionality.
 	 */
 	Wicket.Log = {
-			
+
 		enabled: false,
 
 		log: function () {
@@ -350,6 +350,44 @@
 	 */
 	Wicket.Ajax.Call = Wicket.Class.create();
 
+	Wicket.Ajax.Call._suspended = 0;
+
+	Wicket.Ajax.Call.currentNotify = undefined;
+
+	Wicket.Ajax.Call.suspend = function () {
+		if (typeof (Wicket.Ajax.Call.currentNotify) != "function") {
+			Wicket.Log.error("Can't suspend: no evaluation in process");
+			return;
+		}
+		Wicket.Ajax.Call._suspended++;
+		var notify = Wicket.Ajax.Call.currentNotify;
+		var released = false;
+
+		return function () {
+			// release only once
+			if (released === false) {
+				released = true;
+				Wicket.Ajax.Call._suspended--;
+				if (Wicket.Ajax.Call._suspended === 0) {
+					notify();
+				}
+			}
+		}
+	};
+
+	Wicket.Ajax.Call.getFunctionsExecuterStatus = function() {
+		if (Wicket.Ajax.Call._suspended) {
+			// suspended
+			return FunctionsExecuter.ASYNC;
+		} else {
+			// execution finished, cleanup the last notify
+			Wicket.Ajax.Call.currentNotify = undefined;
+			Wicket.Ajax.Call._suspended = 0;
+			// continue to next step
+			return FunctionsExecuter.DONE;
+		}
+	};
+
 	Wicket.Ajax.Call.prototype = {
 
 		initialize: jQuery.noop,
@@ -529,20 +567,20 @@
 		},
 
 		/**
-		 * Is an element still present for Ajax requests. 
+		 * Is an element still present for Ajax requests.
 		 */
 		_isPresent: function(id) {
 			if (isUndef(id)) {
 				// no id so no check whether present
 				return true;
 			}
-			
+
 			var element = Wicket.$(id);
 			if (isUndef(element)) {
 				// not present
 				return false;
 			}
-			
+
 			// present if no attributes at all or not a placeholder
 			return (!element.hasAttribute || !element.hasAttribute('data-wicket-placeholder'));
 		},
@@ -560,7 +598,7 @@
 					'Wicket-Ajax': 'true',
 					'Wicket-Ajax-BaseURL': getAjaxBaseUrl()
 				},
-				
+
 				url = attrs.u,
 
 				// the request (extra) parameters
@@ -570,7 +608,7 @@
 
 				// the precondition to use if there are no explicit ones
 				defaultPrecondition = [ function (attributes) {
-					return self._isPresent(attributes.c) && self._isPresent(attributes.f); 
+					return self._isPresent(attributes.c) && self._isPresent(attributes.f);
 				}],
 
 				// a context that brings the common data for the success/fialure/complete handlers
@@ -631,7 +669,7 @@
 				var el = Wicket.$(attrs.c);
 				data = data.concat(Wicket.Form.serializeElement(el, attrs.sr));
 			}
-			
+
 			// collect the dynamic extra parameters
 			if (jQuery.isArray(attrs.dep)) {
 				var dynamicData = this._calculateDynamicParameters(attrs);
@@ -650,7 +688,7 @@
 					for (var i = 0; i < data.length; i++) {
 						formData.append(data[i].name, data[i].value || "");
 					}
-					
+
 					data = formData;
 					wwwFormUrlEncoded = false;
 				} catch (exception) {
@@ -668,7 +706,7 @@
 				context: self,
 				processData: wwwFormUrlEncoded,
 				contentType: wwwFormUrlEncoded,
-				
+
 				beforeSend: function (jqXHR, settings) {
 					self._executeHandlers(attrs.bsh, attrs, jqXHR, settings);
 					we.publish(topic.AJAX_CALL_BEFORE_SEND, attrs, jqXHR, settings);
@@ -823,15 +861,25 @@
 					return;
 				}
 
+				var nonce;
+				var meta = root.getElementsByTagName("meta")[0];
+				if (!isUndef(meta)) {
+					// var nonceEl = meta.getElementsByTagName("wicket-nonce")[0];
+					// if (!isUndef(nonceEl)) {
+					// 	nonce = Wicket.DOM.text(nonceEl);
+					// }
+					nonce = Wicket.DOM.text(meta.getElementsByTagName("wicket-nonce")[0]);
+				}
+
 				var steps = context.steps;
 
 				// go through the ajax response and execute all priority-invocations first
 				for (var i = 0; i < root.childNodes.length; ++i) {
 					var childNode = root.childNodes[i];
 					if (childNode.tagName === "header-contribution") {
-						this.processHeaderContribution(context, childNode);
+						this.processHeaderContribution(context, childNode, nonce);
 					} else if (childNode.tagName === "priority-evaluate") {
-						this.processEvaluation(context, childNode);
+						this.processEvaluation(context, childNode, nonce);
 					}
 				}
 
@@ -848,7 +896,7 @@
 						stepIndexOfLastReplacedComponent = steps.length;
 						this.processComponent(context, node);
 					} else if (node.tagName === "evaluate") {
-						this.processEvaluation(context, node);
+						this.processEvaluation(context, node, nonce);
 					} else if (node.tagName === "redirect") {
 						this.processRedirect(context, node);
 					}
@@ -929,19 +977,10 @@
 		/**
 		 * Adds a closure that evaluates javascript code.
 		 * @param context {Object} - the object that brings the executer's steps and the attributes
-		 * @param node {XmlElement} - the <[priority-]evaluate> element with the script to evaluate
+		 * @param node {Element} - the <[priority-]evaluate> element with the script to evaluate
+		 * @param nonce {String} - optional CSP nonce
 		 */
-		processEvaluation: function (context, node) {
-
-			// used to match evaluation scripts which manually call FunctionsExecuter's notify() when ready
-			var scriptWithIdentifierR = new RegExp("\\(function\\(\\)\\{([a-zA-Z_]\\w*)\\|((.|\\n)*)?\\}\\)\\(\\);$");
-
-			/**
-			 * A regex used to split the text in (priority-)evaluate elements in the Ajax response
-			 * when there are scripts which require manual call of 'FunctionExecutor#notify()'
-			 * @type {RegExp}
-			 */
-			var scriptSplitterR = new RegExp("\\(function\\(\\)\\{[\\s\\S]*?}\\)\\(\\);", 'gi');
+		processEvaluation: function (context, node, nonce) {
 
 			// get the javascript body
 			var text = Wicket.DOM.text(node);
@@ -950,67 +989,28 @@
 			var steps = context.steps;
 			var log = Wicket.Log;
 
-			var evaluateWithManualNotify = function (parameters, body) {
-				return function(notify) {
-					var toExecute = "(function(" + parameters + ") {" + body + "})";
-
-					try {
-						// do the evaluation in global scope
-						var f = window.eval(toExecute);
-						f(notify);
-					} catch (exception) {
-						log.error("Wicket.Ajax.Call.processEvaluation: Exception evaluating javascript: %s", text, exception);
-					}
-					return FunctionsExecuter.ASYNC;
-				};
-			};
-
 			var evaluate = function (script) {
 				return function(notify) {
 					// just evaluate the javascript
+					Wicket.Ajax.Call.currentNotify = notify;
 					try {
 						// do the evaluation in global scope
-						window.eval(script);
+						jQuery.globalEval(script, {nonce: nonce});
 					} catch (exception) {
 						log.error("Ajax.Call.processEvaluation: Exception evaluating javascript: %s", text, exception);
 					}
 					// continue to next step
-					return FunctionsExecuter.DONE;
+					return Wicket.Ajax.Call.getFunctionsExecuterStatus();
 				};
 			};
 
-			// test if the javascript is in form of identifier|code
-			// if it is, we allow for letting the javascript decide when the rest of processing will continue
-			// by invoking identifier();. This allows usage of some asynchronous/deferred logic before the next script
-			// See WICKET-5039
-			if (scriptWithIdentifierR.test(text)) {
-				var scripts = [];
-				var scr;
-				while ( (scr = scriptSplitterR.exec(text) ) !== null ) {
-					scripts.push(scr[0]);
-				}
-
-				for (var s = 0; s < scripts.length; s++) {
-					var script = scripts[s];
-					if (script) {
-						var scriptWithIdentifier = script.match(scriptWithIdentifierR);
-						if (scriptWithIdentifier) {
-							steps.push(evaluateWithManualNotify(scriptWithIdentifier[1], scriptWithIdentifier[2]));
-						}
-						else {
-							steps.push(evaluate(script));
-						}
-					}
-				}
-			} else {
-				steps.push(evaluate(text));
-			}
+			steps.push(evaluate(text));
 		},
 
 		// Adds a closure that processes a header contribution
-		processHeaderContribution: function (context, node) {
+		processHeaderContribution: function (context, node, nonce) {
 			var c = Wicket.Head.Contributor;
-			c.processContribution(context, node);
+			c.processContribution(context, node, nonce);
 		},
 
 		// Adds a closure that processes a redirect
@@ -1231,7 +1231,7 @@
 				var result = [];
 				if (input && input.type) {
 					var $input = jQuery(input);
-					
+
 					if (input.type === 'file') {
 						for (var f = 0; f < input.files.length; f++) {
 							result.push({"name" : input.name, "value" : input.files[f]});
@@ -1608,7 +1608,7 @@
 			 * Reads the text from the node's children nodes.
 			 * Used instead of jQuery.text() because it is very slow in IE10/11.
 			 * WICKET-5132, WICKET-5510
-			 * @param node {DOMElement} the root node
+			 * @param node {Element} the root node
 			 */
 			text: function (node) {
 				if (isUndef(node)) {
@@ -1730,7 +1730,7 @@
 					}, null, attrs.sel);
 				});
 			},
-			
+
 			process: function(data) {
 				var call = new Wicket.Ajax.Call();
 				call.process(data);
@@ -1766,7 +1766,7 @@
 				parse: function (headerNode) {
 					// the header contribution is stored as CDATA section in the header-contribution element,
 					// we need to parse it since each header contribution needs to be treated separately
-					
+
 					// get the header contribution text and unescape it if necessary
 					var text = Wicket.DOM.text(headerNode);
 
@@ -1789,7 +1789,7 @@
 				},
 
 				// Processes the parsed header contribution
-				processContribution: function (context, headerNode) {
+				processContribution: function (context, headerNode, nonce) {
 					var xmldoc = this.parse(headerNode);
 					var rootNode = xmldoc.documentElement;
 
@@ -1828,9 +1828,9 @@
 							if (name === "link") {
 								this.processLink(context, node);
 							} else if (name === "script") {
-								this.processScript(context, node);
+								this.processScript(context, node, nonce);
 							} else if (name === "style") {
-								this.processStyle(context, node);
+								this.processStyle(context, node, nonce);
 							} else if (name === "meta") {
 								this.processMeta(context, node);
 							}
@@ -1891,7 +1891,7 @@
 				},
 
 				// Process an inline style element
-				processStyle: function (context, node) {
+				processStyle: function (context, node, nonce) {
 					context.steps.push(function (notify) {
 						// if element with same id is already in document, skip it
 						if (Wicket.DOM.containsElement(node)) {
@@ -1905,6 +1905,7 @@
 
 						// copy id attribute
 						style.id = node.getAttribute("id");
+						style.nonce = nonce;
 
 						var textNode = document.createTextNode(content);
 						style.appendChild(textNode);
@@ -1917,7 +1918,7 @@
 				},
 
 				// Process a script element (both inline and external)
-				processScript: function (context, node) {
+				processScript: function (context, node, nonce) {
 					context.steps.push(function (notify) {
 
 						if (!node.getAttribute("src") && Wicket.DOM.containsElement(node)) {
@@ -1982,11 +1983,11 @@
 
 							if (typeof(id) === "string" && id.length > 0) {
 								// add javascript to document head
-								Wicket.Head.addJavascript(text, id, "", type);
+								Wicket.Head.addJavascript(text, id, "", type, nonce);
 							} else {
 								try {
 									// do the evaluation in global scope
-									window.eval(text);
+									jQuery.globalEval(text, {nonce: nonce});
 								} catch (e) {
 									Wicket.Log.error("Wicket.Head.Contributor.processScript: %s", text, e);
 								}
@@ -2003,9 +2004,12 @@
 						var meta = Wicket.Head.createElement("meta"),
 							$meta = jQuery(meta),
 							attrs = jQuery(node).prop("attributes"),
-							name = node.getAttribute("name");
+							name = node.getAttribute("name"),
+							id = node.getAttribute("id");
 
-						if(name) {
+						if (id) {
+							jQuery('meta[id="' + id + '"]').remove();
+						} else if (name) {
 							jQuery('meta[name="' + name + '"]').remove();
 						}
 						jQuery.each(attrs, function() {
@@ -2109,7 +2113,7 @@
 			// attribute to filter out duplicates. However, since we set the body of the element, we can't assign
 			// also a src value. Therefore we put the url to the src_ (notice the underscore)  attribute.
 			// Wicket.Head.containsElement is aware of that and takes also the underscored attributes into account.
-			addJavascript: function (content, id, fakeSrc, type) {
+			addJavascript: function (content, id, fakeSrc, type, nonce) {
 				var script = Wicket.Head.createElement("script");
 				if (id) {
 					script.id = id;
@@ -2124,6 +2128,9 @@
 
 				script.setAttribute("src_", fakeSrc);
 				script.setAttribute("type", type);
+				if (nonce) {
+					script.setAttribute("nonce", nonce)
+				}
 
 				// set the javascript as element content
 				if (null === script.canHaveChildren || script.canHaveChildren) {
@@ -2346,7 +2353,7 @@
 					delete Wicket.TimerHandles[timerId];
 				}
 			},
-			
+
 			/**
 			 * Clear all remaining timers.
 			 */
@@ -2361,7 +2368,7 @@
 				}
 			}
 		},
-		
+
 		/**
 		 * Events related code
 		 * Based on code from Mootools (http://mootools.net)
diff --git a/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java b/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java
index da126a290df..cb2d9b8200e 100644
--- a/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java
+++ b/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java
@@ -78,6 +78,15 @@ public interface IPartialPageRequestHandler extends IPageRequestHandler
 	 */
 	void appendJavaScript(CharSequence javascript);
 
+	/**
+	 * Add extra meta data to partial page response.
+	 * This is the response meta data, not HTML meta data.
+	 *
+	 * @param name meta datum name
+	 * @param value meta datum value
+	 */
+	void addMeta(CharSequence name, CharSequence value);
+
 	/**
 	 * Adds javascript that will be evaluated on the client side before components are replaced.
 	 *
diff --git a/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java b/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
index 7a911ca6cd8..9422c9bfa3f 100644
--- a/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
+++ b/wicket-core/src/main/java/org/apache/wicket/markup/head/filter/CspNonceHeaderResponse.java
@@ -67,7 +67,7 @@ public void render(HeaderItem item)
 
 				String policy = getContentSecurityPolicy(nonce);
 
-				super.render(MetaDataHeaderItem.forHttpEquiv(CONTENT_SECURITY_POLICY, policy));
+				super.render(MetaDataHeaderItem.forHttpEquiv(CONTENT_SECURITY_POLICY, policy).addTagAttribute("id", "meta-csp"));
 			}
 
 			((AbstractCspHeaderItem)item).setNonce(nonce);
@@ -80,7 +80,6 @@ public void render(HeaderItem item)
 	 * Get the <em>Content-Security-Policy</em> (CSP).
 	 * <p>
 	 * There is a variety of CSP configurations, this default implementation uses the nonce for scripts and styles
-	 * and allows <code>unsafe-eval</code>s (needed for Wicket Ajax).
 	 * 
 	 * @param nonce
 	 *            the nonce
@@ -88,6 +87,6 @@ public void render(HeaderItem item)
 	 */
 	protected String getContentSecurityPolicy(String nonce)
 	{
-		return String.format("script-src 'unsafe-eval' 'nonce-%1$s'; style-src 'nonce-%1$s';", nonce);
+		return String.format("script-src 'nonce-%1$s'; style-src 'nonce-%1$s';", nonce);
 	}
 }
diff --git a/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java b/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java
index 2e026bd6247..cdeba73e1bb 100644
--- a/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java
+++ b/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java
@@ -48,6 +48,7 @@
 import org.apache.wicket.util.lang.Args;
 import org.apache.wicket.util.lang.Generics;
 import org.apache.wicket.util.string.AppendingStringBuffer;
+import org.apache.wicket.util.string.Strings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -68,6 +69,12 @@ public abstract class PartialPageUpdate
 {
 	private static final Logger LOG = LoggerFactory.getLogger(PartialPageUpdate.class);
 
+	/**
+	 * Meta data to be added to the partial page response.
+	 * This is the response meta data, not HTML meta data.
+	 */
+	protected final List<CharSequence> meta = Generics.newArrayList();
+
 	/**
 	 * A list of scripts (JavaScript) which should be executed on the client side before the
 	 * components' replacement
@@ -92,6 +99,7 @@ public abstract class PartialPageUpdate
 	 */
 	protected final Map<String, Component> markupIdToComponent = new LinkedHashMap<String, Component>();
 
+
 	/**
 	 * A flag that indicates that components cannot be added anymore.
 	 * See https://issues.apache.org/jira/browse/WICKET-3564
@@ -160,6 +168,8 @@ public void writeTo(final Response response, final String encoding)
 
 			onAfterRespond(response);
 
+			writeMeta(response, meta);
+
 			// queue up prepend javascripts. unlike other steps these are executed out of order so that
 			// components can contribute them from inside their onbeforerender methods.
 			writePriorityEvaluations(response, prependJavaScripts);
@@ -205,6 +215,15 @@ protected void onAfterRespond(Response response) {
 	 */
     protected abstract void writeFooter(Response response, String encoding);
 
+	/**
+	 *
+	 * @param response
+	 *      the response to write to
+	 * @param meta
+	 *      the collection of prepared meta data (with tags)
+	 */
+	protected abstract void writeMeta(Response response, final Collection<CharSequence> meta);
+
 	/**
 	 *
 	 * @param response
@@ -382,6 +401,17 @@ public int hashCode()
 		return result;
 	}
 
+	/**
+	 * Add meta datum to partial page update.
+	 * This is the response meta data, not HTML meta data.
+	 *
+	 * @param name
+	 * @param value
+	 */
+	public final void addMeta(CharSequence name, CharSequence value) {
+		meta.add(String.format("<%1$s>%2$s</%1$s>", Strings.escapeMarkup(name), Strings.escapeMarkup(value)));
+	}
+
 	/**
 	 * Adds script to the ones which are executed after the component replacement.
 	 *
@@ -612,7 +642,7 @@ private static class PartialHtmlHeaderContainer extends HtmlHeaderContainer
 		/**
 		 * Constructor.
 		 *
-		 * @param update
+		 * @param pageUpdate
 		 *      the partial page update
 		 */
 		public PartialHtmlHeaderContainer(PartialPageUpdate pageUpdate)
diff --git a/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java b/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java
index 0af43424d65..79697d65f53 100644
--- a/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java
+++ b/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java
@@ -101,6 +101,16 @@ protected void writeFooter(Response response, String encoding)
 		response.write(END_ROOT_ELEMENT);
 	}
 
+	@Override
+	protected void writeMeta(final Response response, final Collection<CharSequence> meta) {
+		if (meta.size() > 0)
+		{
+			response.write("<meta>");
+			response.write(String.join("", meta));
+			response.write("</meta>");
+		}
+	}
+
 	@Override
 	protected void writeHeaderContribution(Response response)
 	{
diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
index baa33bac5de..7d0994970f7 100644
--- a/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
+++ b/wicket-core/src/test/java/org/apache/wicket/markup/head/filter/CspNoncePageExpected.html
@@ -1,5 +1,5 @@
 <html xmlns:wicket="http://wicket.apache.org/dtds.data/wicket-xhtml1.4-strict.dtd" >
-    <head><meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'nonce-NONCE'; style-src 'nonce-NONCE';" />
+    <head><meta http-equiv="Content-Security-Policy" content="script-src 'nonce-NONCE'; style-src 'nonce-NONCE';" id="meta-csp" />
 <script type="text/javascript" src="../resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.4.1.js" nonce="NONCE"></script>
 <script type="text/javascript" src="../resource/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/res/js/wicket-ajax-jquery.js" nonce="NONCE"></script>
 <script type="text/javascript" id="wicket-ajax-debug-enable" nonce="NONCE">
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.html b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.html
index 241c86e6713..d875ceaa6a6 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.html
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.html
@@ -15,13 +15,28 @@
     }
 </style>
 <div class="container">
-counter 1:<span wicket:id="c1"></span> 
-<br/>
-<br/>
-counter 2: <span wicket:id="c2"></span>
-<br/>
-<br/>
-<a href="#" wicket:id="c1-link">counter1++ and shake</a>&#160;&#160;<a href="#" wicket:id="c2-link">counter2++ and highlight</a>
+	<div>
+		<p>
+			counter 1:<span wicket:id="c1"></span>
+		</p>
+		<p>
+			counter 2: <span wicket:id="c2"></span>
+		</p>
+		<p>
+			counter 3: <span wicket:id="c3"></span>
+		</p>
+	</div>
+	<div>
+		<p>
+			<a href="#" wicket:id="c1-link">counter1++ and shake</a>
+		</p>
+		<p>
+			<a href="#" wicket:id="c2-link">counter2++ and highlight</a>
+		</p>
+		<p>
+			<a href="#" wicket:id="c3-link">counter3++, fade-out and fade-in</a>
+		</p>
+	</div>
 </div>
 </wicket:extend>
 </html>
\ No newline at end of file
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java
index e2865841402..21e5f1897a4 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java
@@ -25,9 +25,11 @@
 import org.apache.wicket.ajax.markup.html.AjaxFallbackLink;
 import org.apache.wicket.ajax.markup.html.AjaxLink;
 import org.apache.wicket.markup.head.IHeaderResponse;
+import org.apache.wicket.markup.head.JavaScriptHeaderItem;
 import org.apache.wicket.markup.head.OnDomReadyHeaderItem;
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.model.PropertyModel;
+import org.apache.wicket.request.resource.JavaScriptResourceReference;
 
 /**
  * Demonstrates ajax effects
@@ -36,6 +38,7 @@ public class EffectsPage extends BasePage
 {
 	private int counter1 = 0;
 	private int counter2 = 0;
+	private int counter3 = 0;
 
 	/**
 	 * @return Value of counter1
@@ -71,6 +74,24 @@ public void setCounter2(int counter2)
 		this.counter2 = counter2;
 	}
 
+
+	/**
+	 * @return Value for counter3
+	 */
+	public int getCounter3()
+	{
+		return counter3;
+	}
+
+	/**
+	 * @param counter3
+	 *            New value for counter3
+	 */
+	public void setCounter3(int counter3)
+	{
+		this.counter3 = counter3;
+	}
+
 	/**
 	 * Constructor
 	 */
@@ -84,6 +105,10 @@ public EffectsPage()
 		c2.setOutputMarkupId(true);
 		add(c2);
 
+		final Label c3 = new Label("c3", new PropertyModel<>(this, "counter3"));
+		c3.setOutputMarkupId(true);
+		add(c3);
+
 		add(new AjaxLink<Void>("c1-link")
 		{
 			@Override
@@ -125,14 +150,36 @@ protected void updateAjaxAttributes(AjaxRequestAttributes attributes)
 				super.updateAjaxAttributes(attributes);
 			}
 		});
+
+		add(new AjaxFallbackLink<Void>("c3-link")
+		{
+			@Override
+			public void onClick(Optional<AjaxRequestTarget> targetOptional)
+			{
+				counter3++;
+				targetOptional.ifPresent(target -> {
+					target.prependJavaScript((String.format("EffectsPage.animatedCountHide('#%s');", c3.getMarkupId())));
+					target.add(c3);
+					target.prependJavaScript((String.format("EffectsPage.animatedCountShow('#%s');", c3.getMarkupId())));
+				});
+			}
+
+			@Override
+			protected void updateAjaxAttributes(AjaxRequestAttributes attributes)
+			{
+				attributes.setChannel(new AjaxChannel("effects", Type.DROP));
+
+				super.updateAjaxAttributes(attributes);
+			}
+		});
 	}
 
 	@Override
 	public void renderHead(IHeaderResponse response)
 	{
 		super.renderHead(response);
-
 		response.render(OnDomReadyHeaderItem.forScript("jQuery.noConflict();"));
+		response.render(JavaScriptHeaderItem.forReference(new JavaScriptResourceReference(EffectsPage.class, "EffectsPage.js")));
 	}
 
 }
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js
new file mode 100644
index 00000000000..d44555f56cc
--- /dev/null
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+EffectsPage = {};
+EffectsPage.animatedCountHide = function (countComponentSelector) {
+    var notify = Wicket.Ajax.Call.suspend(); // suspend the prepend JS until animation finished
+    jQuery(countComponentSelector).hide("fade", function () { // hide with fade effect
+        notify(); // animation is finished, release to allow the element to be replaced
+    });
+};
+EffectsPage.animatedCountShow = function (countComponentSelector) {
+    jQuery(countComponentSelector).show("drop"); // show with drop effect
+};
\ No newline at end of file
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
index b4b83415c00..213c38b47f3 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
@@ -16,15 +16,21 @@
  */
 package org.apache.wicket.examples.csp;
 
-import java.util.Base64;
-import java.util.concurrent.ThreadLocalRandom;
-
+import org.apache.wicket.Component;
 import org.apache.wicket.MetaDataKey;
 import org.apache.wicket.Page;
 import org.apache.wicket.Session;
+import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.examples.WicketExampleApplication;
 import org.apache.wicket.markup.head.ResourceAggregator;
 import org.apache.wicket.markup.head.filter.CspNonceHeaderResponse;
+import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
+import org.apache.wicket.request.Request;
+import org.apache.wicket.request.cycle.RequestCycle;
+
+import java.util.Base64;
+import java.util.Map;
+import java.util.concurrent.ThreadLocalRandom;
 
 public class CspApplication extends WicketExampleApplication
 {
@@ -45,7 +51,19 @@ protected void init()
 	{
 		super.init();
 
-		setHeaderResponseDecorator(response -> new ResourceAggregator(new CspNonceHeaderResponse(response, getNonce())));
+		// Decorate all header items with nonce
+		setHeaderResponseDecorator(response -> new ResourceAggregator(
+				isCspApplicable() ? new CspNonceHeaderResponse(response, getNonce()) : response
+		));
+		// add nonce to ajax response
+		getAjaxRequestTargetListeners().add((new AjaxRequestTarget.IListener()
+		{
+			@Override
+			public void onBeforeRespond(Map<String, Component> map, AjaxRequestTarget target)
+			{
+				target.addMeta("wicket-nonce", getNonce());
+			}
+		}));
 		
 		mountPage("noncedemo", NonceDemoPage.class);
 	}
@@ -69,4 +87,19 @@ public static String getNonce()
 		}
 		return nonce;
 	}
+
+	public static boolean isCspApplicable()
+	{
+		Request request = RequestCycle.get().getRequest();
+		if (request instanceof ServletWebRequest)
+		{
+			// Unfortunately Edge does things worse than just "doesn't support" it does support the CSP,
+			// but the 'nonce' and 'strict-dynamic' instructions were broken for ages.
+			// Edge issue https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+			// It's OK in new Edge chromium beta, also the new Edge has Edg/ in User-Agent header instead of Edge/
+			return !((ServletWebRequest)request).getContainerRequest().getHeader("User-Agent").contains("Edge/");
+		}
+		return true;
+	}
+
 }
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
index d092f8d5a99..a013cc28c73 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/NonceDemoPage.java
@@ -25,6 +25,7 @@
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
+import org.apache.wicket.request.resource.JavaScriptResourceReference;
 
 /**
  * Page which disallows execution of inline scripts without nonce
@@ -47,10 +48,7 @@ public NonceDemoPage()
 			public void onClick(AjaxRequestTarget target)
 			{
 				clickMeCountModel.setObject(clickMeCountModel.getObject() + 1);
-
-				// target.add (works even without unsafe-eval)
 				target.add(clickMeCount);
-				// append javascript (won't work without unsafe-eval)
 				target.appendJavaScript("document.querySelector(\".click-me-text\").innerHTML = \"replaced\";");
 			}
 		}.setOutputMarkupId(true));
diff --git a/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java b/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java
index 641844f52cd..5b5e6357180 100644
--- a/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java
+++ b/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java
@@ -154,6 +154,12 @@ public void appendJavaScript(CharSequence javascript)
 		getUpdate().appendJavaScript(javascript);
 	}
 
+	@Override
+	public void addMeta(CharSequence name, CharSequence value)
+	{
+		getUpdate().addMeta(name, value);
+	}
+
 	@Override
 	public void prependJavaScript(CharSequence javascript)
 	{

From 59ece5b8ba79f671a22081e479d59be459977d76 Mon Sep 17 00:00:00 2001
From: Andrew Kondratev <andruhon@gmail.com>
Date: Sun, 29 Sep 2019 12:01:54 +1300
Subject: [PATCH 2/4] code review changes

---
 .../java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
index 360e0e0be0a..e9445e06ad5 100644
--- a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
+++ b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
@@ -376,12 +376,12 @@
 	};
 
 	Wicket.Ajax.Call.getFunctionsExecuterStatus = function() {
+		Wicket.Ajax.Call.currentNotify = undefined;
 		if (Wicket.Ajax.Call._suspended) {
 			// suspended
 			return FunctionsExecuter.ASYNC;
 		} else {
 			// execution finished, cleanup the last notify
-			Wicket.Ajax.Call.currentNotify = undefined;
 			Wicket.Ajax.Call._suspended = 0;
 			// continue to next step
 			return FunctionsExecuter.DONE;

From db3523e664e3fdc4427b0ccda5fa88cfc54b9436 Mon Sep 17 00:00:00 2001
From: Andrew Kondratev <andruhon@gmail.com>
Date: Wed, 9 Oct 2019 16:52:09 +1300
Subject: [PATCH 3/4] some code-review changes

---
 .../wicket/ajax/res/js/wicket-ajax-jquery.js  | 28 ++++++++-----------
 .../examples/ajax/builtin/EffectsPage.java    | 17 ++++++++++-
 .../examples/ajax/builtin/EffectsPage.js      | 16 ++++++++++-
 3 files changed, 43 insertions(+), 18 deletions(-)

diff --git a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
index e9445e06ad5..0fc9e4dcbf5 100644
--- a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
+++ b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
@@ -356,8 +356,7 @@
 
 	Wicket.Ajax.Call.suspend = function () {
 		if (typeof (Wicket.Ajax.Call.currentNotify) != "function") {
-			Wicket.Log.error("Can't suspend: no evaluation in process");
-			return;
+			throw new Error("Can't suspend: no evaluation in process");
 		}
 		Wicket.Ajax.Call._suspended++;
 		var notify = Wicket.Ajax.Call.currentNotify;
@@ -370,24 +369,12 @@
 				Wicket.Ajax.Call._suspended--;
 				if (Wicket.Ajax.Call._suspended === 0) {
 					notify();
+					Wicket.Ajax.Call.currentNotify = undefined;
 				}
 			}
 		}
 	};
 
-	Wicket.Ajax.Call.getFunctionsExecuterStatus = function() {
-		Wicket.Ajax.Call.currentNotify = undefined;
-		if (Wicket.Ajax.Call._suspended) {
-			// suspended
-			return FunctionsExecuter.ASYNC;
-		} else {
-			// execution finished, cleanup the last notify
-			Wicket.Ajax.Call._suspended = 0;
-			// continue to next step
-			return FunctionsExecuter.DONE;
-		}
-	};
-
 	Wicket.Ajax.Call.prototype = {
 
 		initialize: jQuery.noop,
@@ -1000,7 +987,16 @@
 						log.error("Ajax.Call.processEvaluation: Exception evaluating javascript: %s", text, exception);
 					}
 					// continue to next step
-					return Wicket.Ajax.Call.getFunctionsExecuterStatus();
+					if (Wicket.Ajax.Call._suspended) {
+						// suspended
+						return FunctionsExecuter.ASYNC;
+					} else {
+						// execution finished, cleanup the last notify
+						Wicket.Ajax.Call.currentNotify = undefined;
+						Wicket.Ajax.Call._suspended = 0;
+						// continue to next step
+						return FunctionsExecuter.DONE;
+					}
 				};
 			};
 
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java
index 21e5f1897a4..88aa25f493c 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.java
@@ -17,7 +17,9 @@
 package org.apache.wicket.examples.ajax.builtin;
 
 import java.util.Optional;
+import java.util.Set;
 
+import org.apache.wicket.ClassAttributeModifier;
 import org.apache.wicket.ajax.AjaxChannel;
 import org.apache.wicket.ajax.AjaxChannel.Type;
 import org.apache.wicket.ajax.AjaxRequestTarget;
@@ -107,6 +109,19 @@ public EffectsPage()
 
 		final Label c3 = new Label("c3", new PropertyModel<>(this, "counter3"));
 		c3.setOutputMarkupId(true);
+		c3.add(new ClassAttributeModifier()
+		{
+			@Override
+			protected Set<String> update(Set<String> oldClasses)
+			{
+				if (!EffectsPage.this.isRendering())
+				{
+					// Only add is-hidden when page is already rendered (in AJAX)
+					oldClasses.add("is-hidden");
+				}
+				return oldClasses;
+			}
+		});
 		add(c3);
 
 		add(new AjaxLink<Void>("c1-link")
@@ -160,7 +175,7 @@ public void onClick(Optional<AjaxRequestTarget> targetOptional)
 				targetOptional.ifPresent(target -> {
 					target.prependJavaScript((String.format("EffectsPage.animatedCountHide('#%s');", c3.getMarkupId())));
 					target.add(c3);
-					target.prependJavaScript((String.format("EffectsPage.animatedCountShow('#%s');", c3.getMarkupId())));
+					target.appendJavaScript((String.format("EffectsPage.animatedCountShow('#%s');", c3.getMarkupId())));
 				});
 			}
 
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js
index d44555f56cc..5e9b1dc13e9 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/ajax/builtin/EffectsPage.js
@@ -18,9 +18,23 @@ EffectsPage = {};
 EffectsPage.animatedCountHide = function (countComponentSelector) {
     var notify = Wicket.Ajax.Call.suspend(); // suspend the prepend JS until animation finished
     jQuery(countComponentSelector).hide("fade", function () { // hide with fade effect
+        EffectsPage.delayedFunction1(); // Example of acquiring multiple locks
         notify(); // animation is finished, release to allow the element to be replaced
     });
 };
 EffectsPage.animatedCountShow = function (countComponentSelector) {
-    jQuery(countComponentSelector).show("drop"); // show with drop effect
+    jQuery(countComponentSelector).removeClass("is-hidden").css("display", "none").show("drop"); // show with drop effect
+};
+EffectsPage.delayedFunction1 = function () {
+    var notify = Wicket.Ajax.Call.suspend();
+    setTimeout(function () {
+        EffectsPage.delayedFunction2(); // call another function acquiring another lock
+        notify();
+    }, 100);
+};
+EffectsPage.delayedFunction2 = function () {
+    var notify = Wicket.Ajax.Call.suspend();
+    setTimeout(function () {
+        notify(); // finally release
+    }, 200);
 };
\ No newline at end of file

From a7acbb16ce8d1268f25bb85438c23ec18aaa142d Mon Sep 17 00:00:00 2001
From: Andrew Kondratev <andruhon@gmail.com>
Date: Fri, 11 Oct 2019 16:37:40 +1300
Subject: [PATCH 4/4] code-review: header item instead of eval

---
 .../wicket/ajax/AjaxRequestHandler.java       |  6 --
 .../wicket/ajax/res/js/wicket-ajax-jquery.js  | 95 ++++++-------------
 .../handler/IPartialPageRequestHandler.java   |  9 --
 ...fterDomRenderAjaxJavaScriptHeaderItem.java | 50 ++++++++++
 .../head/JavaScriptContentHeaderItem.java     |  5 +
 .../apache/wicket/page/PartialPageUpdate.java | 61 ++++--------
 .../wicket/page/XmlPartialPageUpdate.java     | 54 ++++-------
 .../filter/AjaxServerAndClientTimeFilter.java | 83 ++++++++++++----
 .../wicket/examples/csp/CspApplication.java   |  9 --
 .../ws/api/WebSocketRequestHandler.java       |  6 --
 10 files changed, 184 insertions(+), 194 deletions(-)
 create mode 100644 wicket-core/src/main/java/org/apache/wicket/markup/head/AfterDomRenderAjaxJavaScriptHeaderItem.java

diff --git a/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java b/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java
index 63cb4a0bfec..1dad0487e2e 100644
--- a/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java
+++ b/wicket-core/src/main/java/org/apache/wicket/ajax/AjaxRequestHandler.java
@@ -266,12 +266,6 @@ public final void appendJavaScript(CharSequence javascript)
 		update.appendJavaScript(javascript);
 	}
 
-	@Override
-	public void addMeta(CharSequence name, CharSequence value)
-	{
-		update.addMeta(name, value);
-	}
-
 	/**
 	 * @see org.apache.wicket.core.request.handler.IPageRequestHandler#detach(org.apache.wicket.request.IRequestCycle)
 	 */
diff --git a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
index 0fc9e4dcbf5..c7546405bd1 100644
--- a/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
+++ b/wicket-core/src/main/java/org/apache/wicket/ajax/res/js/wicket-ajax-jquery.js
@@ -861,34 +861,27 @@
 				var steps = context.steps;
 
 				// go through the ajax response and execute all priority-invocations first
-				for (var i = 0; i < root.childNodes.length; ++i) {
-					var childNode = root.childNodes[i];
-					if (childNode.tagName === "header-contribution") {
-						this.processHeaderContribution(context, childNode, nonce);
-					} else if (childNode.tagName === "priority-evaluate") {
-						this.processEvaluation(context, childNode, nonce);
-					}
-				}
+				this.processHeaderContributions(context, root.childNodes, nonce, false);
 
 				// go through the ajax response and for every action (component, js evaluation, header contribution)
 				// ad the proper closure to steps
 				var stepIndexOfLastReplacedComponent = -1;
 				for (var c = 0; c < root.childNodes.length; ++c) {
 					var node = root.childNodes[c];
-
 					if (node.tagName === "component") {
 						if (stepIndexOfLastReplacedComponent === -1) {
 							this.processFocusedComponentMark(context);
 						}
 						stepIndexOfLastReplacedComponent = steps.length;
 						this.processComponent(context, node);
-					} else if (node.tagName === "evaluate") {
-						this.processEvaluation(context, node, nonce);
 					} else if (node.tagName === "redirect") {
 						this.processRedirect(context, node);
 					}
-
 				}
+
+				// go through the ajax response and execute all NON-priority-invocations
+				this.processHeaderContributions(context, root.childNodes, nonce, true);
+
 				if (stepIndexOfLastReplacedComponent !== -1) {
 					this.processFocusedComponentReplaceCheck(steps, stepIndexOfLastReplacedComponent);
 				}
@@ -961,52 +954,14 @@
 			});
 		},
 
-		/**
-		 * Adds a closure that evaluates javascript code.
-		 * @param context {Object} - the object that brings the executer's steps and the attributes
-		 * @param node {Element} - the <[priority-]evaluate> element with the script to evaluate
-		 * @param nonce {String} - optional CSP nonce
-		 */
-		processEvaluation: function (context, node, nonce) {
-
-			// get the javascript body
-			var text = Wicket.DOM.text(node);
-
-			// aliases to improve performance
-			var steps = context.steps;
-			var log = Wicket.Log;
-
-			var evaluate = function (script) {
-				return function(notify) {
-					// just evaluate the javascript
-					Wicket.Ajax.Call.currentNotify = notify;
-					try {
-						// do the evaluation in global scope
-						jQuery.globalEval(script, {nonce: nonce});
-					} catch (exception) {
-						log.error("Ajax.Call.processEvaluation: Exception evaluating javascript: %s", text, exception);
-					}
-					// continue to next step
-					if (Wicket.Ajax.Call._suspended) {
-						// suspended
-						return FunctionsExecuter.ASYNC;
-					} else {
-						// execution finished, cleanup the last notify
-						Wicket.Ajax.Call.currentNotify = undefined;
-						Wicket.Ajax.Call._suspended = 0;
-						// continue to next step
-						return FunctionsExecuter.DONE;
-					}
-				};
-			};
-
-			steps.push(evaluate(text));
-		},
-
-		// Adds a closure that processes a header contribution
-		processHeaderContribution: function (context, node, nonce) {
+		processHeaderContributions: function (context, nodes, nonce, afterComponents) {
 			var c = Wicket.Head.Contributor;
-			c.processContribution(context, node, nonce);
+			for (var i = 0; i < nodes.length; ++i) {
+				var childNode = nodes[i];
+				if (childNode.tagName === "header-contribution") {
+					c.processContribution(context, childNode, nonce, afterComponents);
+				}
+			}
 		},
 
 		// Adds a closure that processes a redirect
@@ -1785,7 +1740,7 @@
 				},
 
 				// Processes the parsed header contribution
-				processContribution: function (context, headerNode, nonce) {
+				processContribution: function (context, headerNode, nonce, afterComponents) {
 					var xmldoc = this.parse(headerNode);
 					var rootNode = xmldoc.documentElement;
 
@@ -1797,13 +1752,15 @@
 					// go through the individual elements and process them according to their type
 					for (var i = 0; i < rootNode.childNodes.length; i++) {
 						var node = rootNode.childNodes[i];
-
 						// Chromium reports the error as a child node
 						if (this._checkParserError(node)) {
 							return;
 						}
 
 						if (!isUndef(node.tagName)) {
+							if (afterComponents !== (node.getAttribute("data-wicket-evaluation") === "after")) {
+								continue;
+							}
 							var name = node.tagName.toLowerCase();
 
 							// it is possible that a reference is surrounded by a <wicket:link
@@ -1980,17 +1937,27 @@
 							if (typeof(id) === "string" && id.length > 0) {
 								// add javascript to document head
 								Wicket.Head.addJavascript(text, id, "", type, nonce);
+								return FunctionsExecuter.DONE;
 							} else {
+								Wicket.Ajax.Call.currentNotify = notify;
 								try {
 									// do the evaluation in global scope
 									jQuery.globalEval(text, {nonce: nonce});
-								} catch (e) {
-									Wicket.Log.error("Wicket.Head.Contributor.processScript: %s", text, e);
+								} catch (exception) {
+									Wicket.Log.error("Wicket.Head.Contributor.processScript: Exception evaluating javascript: %s", text, exception);
+								}
+								// continue to next step
+								if (Wicket.Ajax.Call._suspended) {
+									// suspended
+									return FunctionsExecuter.ASYNC;
+								} else {
+									// execution finished, cleanup the last notify
+									Wicket.Ajax.Call.currentNotify = undefined;
+									Wicket.Ajax.Call._suspended = 0;
+									// continue to next step
+									return FunctionsExecuter.DONE;
 								}
 							}
-
-							// continue to next step
-							return FunctionsExecuter.DONE;
 						}
 					});
 				},
diff --git a/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java b/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java
index cb2d9b8200e..da126a290df 100644
--- a/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java
+++ b/wicket-core/src/main/java/org/apache/wicket/core/request/handler/IPartialPageRequestHandler.java
@@ -78,15 +78,6 @@ public interface IPartialPageRequestHandler extends IPageRequestHandler
 	 */
 	void appendJavaScript(CharSequence javascript);
 
-	/**
-	 * Add extra meta data to partial page response.
-	 * This is the response meta data, not HTML meta data.
-	 *
-	 * @param name meta datum name
-	 * @param value meta datum value
-	 */
-	void addMeta(CharSequence name, CharSequence value);
-
 	/**
 	 * Adds javascript that will be evaluated on the client side before components are replaced.
 	 *
diff --git a/wicket-core/src/main/java/org/apache/wicket/markup/head/AfterDomRenderAjaxJavaScriptHeaderItem.java b/wicket-core/src/main/java/org/apache/wicket/markup/head/AfterDomRenderAjaxJavaScriptHeaderItem.java
new file mode 100644
index 00000000000..6f22ba9dd1c
--- /dev/null
+++ b/wicket-core/src/main/java/org/apache/wicket/markup/head/AfterDomRenderAjaxJavaScriptHeaderItem.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.markup.head;
+
+import org.apache.wicket.util.value.AttributeMap;
+
+/**
+ * Special header NON-PRIORITY item for ajax evaluations
+ *
+ * @author Andrew Kondratev
+ */
+public class AfterDomRenderAjaxJavaScriptHeaderItem extends JavaScriptContentHeaderItem
+{
+	/**
+	 * Creates a new {@code AfterDomRenderAjaxJavaScriptHeaderItem}.
+	 *
+	 * @param javaScript
+	 * 		javascript content to be rendered.
+	 */
+	protected AfterDomRenderAjaxJavaScriptHeaderItem(CharSequence javaScript)
+	{
+		super(javaScript, null, null);
+	}
+
+	public static AfterDomRenderAjaxJavaScriptHeaderItem forScript(CharSequence javaScript) {
+		return new AfterDomRenderAjaxJavaScriptHeaderItem(javaScript);
+	}
+
+	@Override
+	protected void renderExtraAttributes(AttributeMap attributes)
+	{
+		// evaluate this header item after components were rendered
+		attributes.add("data-wicket-evaluation", "after");
+	}
+
+}
diff --git a/wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptContentHeaderItem.java b/wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptContentHeaderItem.java
index fccadee9655..afd7b08d841 100644
--- a/wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptContentHeaderItem.java
+++ b/wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptContentHeaderItem.java
@@ -74,6 +74,7 @@ public void render(Response response)
 		attributes.putAttribute(JavaScriptUtils.ATTR_TYPE, "text/javascript");
 		attributes.putAttribute(JavaScriptUtils.ATTR_ID, getId());
 		attributes.putAttribute(JavaScriptUtils.ATTR_CSP_NONCE, getNonce());
+		renderExtraAttributes(attributes);
 		JavaScriptUtils.writeInlineScript(response, getJavaScript(), attributes);
 
 		if (hasCondition)
@@ -82,6 +83,10 @@ public void render(Response response)
 		}
 	}
 
+	protected void renderExtraAttributes(AttributeMap attributes) {
+		// no-op by default
+	}
+
 	@Override
 	public Iterable<?> getRenderTokens()
 	{
diff --git a/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java b/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java
index cdeba73e1bb..9de1969a492 100644
--- a/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java
+++ b/wicket-core/src/main/java/org/apache/wicket/page/PartialPageUpdate.java
@@ -58,23 +58,15 @@
  * <p>
  * The elements of such response are:
  * <ul>
- * <li>priority-evaluate - an item of the prepend JavaScripts</li>
  * <li>component - the markup of the updated component</li>
- * <li>evaluate - an item of the onDomReady and append JavaScripts</li>
  * <li>header-contribution - all HeaderItems which have been contributed in
- * components' and their behaviors' #renderHead(Component, IHeaderResponse)</li>
+ * components' and their behaviors' #renderHead(Component, IHeaderResponse) and also with {@link #appendJavaScript} and {@link #prependJavaScript}</li>
  * </ul>
  */
 public abstract class PartialPageUpdate
 {
 	private static final Logger LOG = LoggerFactory.getLogger(PartialPageUpdate.class);
 
-	/**
-	 * Meta data to be added to the partial page response.
-	 * This is the response meta data, not HTML meta data.
-	 */
-	protected final List<CharSequence> meta = Generics.newArrayList();
-
 	/**
 	 * A list of scripts (JavaScript) which should be executed on the client side before the
 	 * components' replacement
@@ -163,13 +155,13 @@ public void writeTo(final Response response, final String encoding)
 
 			onBeforeRespond(response);
 
+			setUpHeader();
+
 			// process added components
 			writeComponents(response, encoding);
 
 			onAfterRespond(response);
 
-			writeMeta(response, meta);
-
 			// queue up prepend javascripts. unlike other steps these are executed out of order so that
 			// components can contribute them from inside their onbeforerender methods.
 			writePriorityEvaluations(response, prependJavaScripts);
@@ -181,6 +173,8 @@ public void writeTo(final Response response, final String encoding)
 			evaluationScripts.addAll(appendJavaScripts);
 			writeNormalEvaluations(response, evaluationScripts);
 
+			closeHeader(response);
+
 			writeFooter(response, encoding);
 		} finally {
 			if (header != null && originalHeaderContainer!= null) {
@@ -215,15 +209,6 @@ protected void onAfterRespond(Response response) {
 	 */
     protected abstract void writeFooter(Response response, String encoding);
 
-	/**
-	 *
-	 * @param response
-	 *      the response to write to
-	 * @param meta
-	 *      the collection of prepared meta data (with tags)
-	 */
-	protected abstract void writeMeta(Response response, final Collection<CharSequence> meta);
-
 	/**
 	 *
 	 * @param response
@@ -278,11 +263,14 @@ private void writeComponents(Response response, String encoding)
 		{
 			writeComponent(response, component.getAjaxRegionMarkupId(), component, encoding);
 		}
+	}
 
+	private void closeHeader(Response response)
+	{
 		if (header != null)
 		{
 			RequestCycle cycle = RequestCycle.get();
-			
+
 			// some header responses buffer all calls to render*** until close is called.
 			// when they are closed, they do something (i.e. aggregate all JS resource urls to a
 			// single url), and then "flush" (by writing to the real response) before closing.
@@ -401,17 +389,6 @@ public int hashCode()
 		return result;
 	}
 
-	/**
-	 * Add meta datum to partial page update.
-	 * This is the response meta data, not HTML meta data.
-	 *
-	 * @param name
-	 * @param value
-	 */
-	public final void addMeta(CharSequence name, CharSequence value) {
-		meta.add(String.format("<%1$s>%2$s</%1$s>", Strings.escapeMarkup(name), Strings.escapeMarkup(value)));
-	}
-
 	/**
 	 * Adds script to the ones which are executed after the component replacement.
 	 *
@@ -580,15 +557,6 @@ public IHeaderResponse getHeaderResponse()
 	 */
 	protected void writeHeaderContribution(final Response response, final Component component)
 	{
-		headerRendering = true;
-
-		// create the htmlheadercontainer if needed
-		if (header == null)
-		{
-			header = new PartialHtmlHeaderContainer(this);
-			page.addOrReplace(header);
-		}
-
 		RequestCycle requestCycle = component.getRequestCycle();
 
 		// save old response, set new
@@ -609,6 +577,17 @@ protected void writeHeaderContribution(final Response response, final Component
 		headerRendering = false;
 	}
 
+	private void setUpHeader()
+	{
+		headerRendering = true;
+		// create the htmlheadercontainer if needed
+		if (header == null)
+		{
+			header = new PartialHtmlHeaderContainer(this);
+			page.addOrReplace(header);
+		}
+	}
+
 	/**
 	 * Sets the Content-Type header to indicate the type of the response.
 	 *
diff --git a/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java b/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java
index 79697d65f53..1f5df297b7f 100644
--- a/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java
+++ b/wicket-core/src/main/java/org/apache/wicket/page/XmlPartialPageUpdate.java
@@ -16,15 +16,17 @@
  */
 package org.apache.wicket.page;
 
-import java.util.Collection;
-
 import org.apache.wicket.Component;
 import org.apache.wicket.Page;
+import org.apache.wicket.markup.head.AfterDomRenderAjaxJavaScriptHeaderItem;
+import org.apache.wicket.markup.head.JavaScriptHeaderItem;
 import org.apache.wicket.request.Response;
 import org.apache.wicket.request.cycle.RequestCycle;
 import org.apache.wicket.request.http.WebResponse;
 import org.apache.wicket.util.string.Strings;
 
+import java.util.Collection;
+
 /**
  * A {@link PartialPageUpdate} that serializes itself to XML.
  */
@@ -101,16 +103,6 @@ protected void writeFooter(Response response, String encoding)
 		response.write(END_ROOT_ELEMENT);
 	}
 
-	@Override
-	protected void writeMeta(final Response response, final Collection<CharSequence> meta) {
-		if (meta.size() > 0)
-		{
-			response.write("<meta>");
-			response.write(String.join("", meta));
-			response.write("</meta>");
-		}
-	}
-
 	@Override
 	protected void writeHeaderContribution(Response response)
 	{
@@ -131,17 +123,16 @@ protected void writeHeaderContribution(Response response)
 	@Override
 	protected void writeNormalEvaluations(final Response response, final Collection<CharSequence> scripts)
 	{
-		writeEvaluations(response, "evaluate", scripts);
-
+		writeEvaluations(scripts, false);
 	}
 
 	@Override
 	protected void writePriorityEvaluations(Response response, Collection<CharSequence> scripts)
 	{
-		writeEvaluations(response, "priority-evaluate", scripts);
+		writeEvaluations(scripts, true);
 	}
 
-	private void writeEvaluations(final Response response, String elementName, Collection<CharSequence> scripts)
+	private void writeEvaluations(Collection<CharSequence> scripts, boolean isPriority)
 	{
 		if (scripts.size() > 0)
 		{
@@ -150,32 +141,19 @@ private void writeEvaluations(final Response response, String elementName, Colle
 			{
 				combinedScript.append("(function(){").append(script).append("})();");
 			}
-			writeEvaluation(elementName, response, combinedScript);
+			writeEvaluation(combinedScript, isPriority);
 		}
 	}
 
-	/**
-	* @param invocation
-	*            type of invocation tag, usually {@literal evaluate} or
-	*            {@literal priority-evaluate}
-	* @param response
-	* @param js
-	*/
-	private void writeEvaluation(final String invocation, final Response response, final CharSequence js)
+	private void writeEvaluation(final CharSequence js, boolean isPriority)
 	{
-		response.write("<");
-		response.write(invocation);
-		response.write(">");
-
-		response.write("<![CDATA[");
-		response.write(encode(js));
-		response.write("]]>");
-
-		response.write("</");
-		response.write(invocation);
-		response.write(">");
-
-		bodyBuffer.reset();
+		if (header != null)
+		{
+			header.getHeaderResponse().render(
+					isPriority
+					? JavaScriptHeaderItem.forScript(js, null)
+					: AfterDomRenderAjaxJavaScriptHeaderItem.forScript(js));
+		}
 	}
 
 	protected CharSequence encode(CharSequence str)
diff --git a/wicket-core/src/main/java/org/apache/wicket/response/filter/AjaxServerAndClientTimeFilter.java b/wicket-core/src/main/java/org/apache/wicket/response/filter/AjaxServerAndClientTimeFilter.java
index 618a39b6f3c..bc4e72a3f88 100644
--- a/wicket-core/src/main/java/org/apache/wicket/response/filter/AjaxServerAndClientTimeFilter.java
+++ b/wicket-core/src/main/java/org/apache/wicket/response/filter/AjaxServerAndClientTimeFilter.java
@@ -24,6 +24,7 @@
 import org.apache.wicket.util.string.AppendingStringBuffer;
 import org.apache.wicket.core.util.string.JavaScriptUtils;
 import org.apache.wicket.util.string.interpolator.MapVariableInterpolator;
+import org.apache.wicket.util.value.AttributeMap;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -53,6 +54,10 @@
  */
 public class AjaxServerAndClientTimeFilter implements IResponseFilter
 {
+	private static final String HEADER_CONTRIBUTION_START = "<header-contribution><![CDATA[<head xmlns:wicket=\"http://wicket.apache.org\">";
+	private static final String HEADER_CONTRIBUTION_END = "</head>]]></header-contribution>";
+	public static final String CDATA_SCRIPT_END = "/*]]]]><![CDATA[>*/</script>";
+
 	private static Logger log = LoggerFactory.getLogger(AjaxServerAndClientTimeFilter.class);
 
 	/**
@@ -66,34 +71,62 @@ public AppendingStringBuffer filter(AppendingStringBuffer responseBuffer)
 		int ajaxStart = responseBuffer.indexOf("<ajax-response>");
 		int ajaxEnd = responseBuffer.indexOf("</ajax-response>");
 		long timeTaken = System.currentTimeMillis() - RequestCycle.get().getStartTime();
-		if (headIndex != -1 && bodyIndex != -1)
-		{
-			AppendingStringBuffer endScript = new AppendingStringBuffer(150);
-			endScript.append("\n").append(JavaScriptUtils.SCRIPT_OPEN_TAG);
-			endScript.append("\nwindow.defaultStatus='");
-			endScript.append(getStatusString(timeTaken, "ServerAndClientTimeFilter.statustext"));
-			endScript.append("';\n").append(JavaScriptUtils.SCRIPT_CLOSE_TAG).append("\n");
-			responseBuffer.insert(bodyIndex - 1, endScript);
-			responseBuffer.insert(headIndex + 6, "\n" + JavaScriptUtils.SCRIPT_OPEN_TAG +
-				"\nvar clientTimeVariable = new Date().getTime();\n" +
-				JavaScriptUtils.SCRIPT_CLOSE_TAG + "\n");
-		}
-		else if (ajaxStart != -1 && ajaxEnd != -1)
+		String nonce = getNonce();
+		boolean hasBody = headIndex != -1 && bodyIndex != -1;
+		boolean hasAjaxResponse = ajaxStart != -1 && ajaxEnd != -1;
+
+		if (hasBody || hasAjaxResponse)
 		{
 			AppendingStringBuffer startScript = new AppendingStringBuffer(250);
-			startScript.append("<evaluate><![CDATA[window.defaultStatus='");
-			startScript.append(getStatusString(timeTaken,
-				"ajax.ServerAndClientTimeFilter.statustext"));
-			startScript.append("';]]></evaluate>");
-			responseBuffer.insert(ajaxEnd, startScript.toString());
-			responseBuffer.insert(ajaxStart + 15,
-				"<priority-evaluate><![CDATA[clientTimeVariable = new Date().getTime();]]></priority-evaluate>");
+			startScript.append(createScriptOpenTag(false, nonce));
+			startScript.append(JavaScriptUtils.SCRIPT_CONTENT_PREFIX);
+			startScript.append("clientTimeVariable = new Date().getTime();");
+			startScript.append(CDATA_SCRIPT_END);
+			AppendingStringBuffer endScript = new AppendingStringBuffer(300);
+			endScript.append(createScriptOpenTag(true, nonce));
+			endScript.append(JavaScriptUtils.SCRIPT_CONTENT_PREFIX);
+			endScript.append("\nwindow.defaultStatus='" + getStatusString(timeTaken, "ajax.ServerAndClientTimeFilter.statustext"));
+			endScript.append(CDATA_SCRIPT_END);
+
+			if (hasBody)
+			{
+				responseBuffer.insert(bodyIndex, endScript);
+				responseBuffer.insert(headIndex + 6, startScript);
+			}
+			else
+			{
+				AppendingStringBuffer headerContributionStartBuffer = new AppendingStringBuffer(500);
+				headerContributionStartBuffer.append(HEADER_CONTRIBUTION_START);
+				headerContributionStartBuffer.append(startScript);
+				headerContributionStartBuffer.append(HEADER_CONTRIBUTION_END);
+				AppendingStringBuffer headerContributionEndBuffer = new AppendingStringBuffer(500);
+				headerContributionEndBuffer.append(HEADER_CONTRIBUTION_START);
+				headerContributionEndBuffer.append(endScript);
+				headerContributionEndBuffer.append(HEADER_CONTRIBUTION_END);
+				responseBuffer.insert(ajaxEnd, headerContributionEndBuffer);
+				responseBuffer.insert(ajaxStart + 15, headerContributionStartBuffer);
+			}
 		}
 		log.info(timeTaken + "ms server time taken for request " +
 			RequestCycle.get().getRequest().getUrl() + " response size: " + responseBuffer.length());
 		return responseBuffer;
 	}
 
+	private String createScriptOpenTag(boolean isAfterDomRender, String nonce)
+	{
+		AttributeMap attrs = new AttributeMap();
+		attrs.putAttribute(JavaScriptUtils.ATTR_TYPE, "text/javascript");
+		if (isAfterDomRender)
+		{
+			attrs.putAttribute("data-wicket-evaluation", "after");
+		}
+		if (nonce != null)
+		{
+			attrs.putAttribute(JavaScriptUtils.ATTR_CSP_NONCE, "nonce");
+		}
+		return "<script" + attrs.toString() + ">";
+	}
+
 	/**
 	 * Returns a locale specific status message about the server and client time.
 	 * 
@@ -111,8 +144,16 @@ private String getStatusString(long timeTaken, String resourceKey)
 			.getString(resourceKey, null,
 				"Server parsetime: ${servertime}, Client parsetime: ${clienttime}");
 		final Map<String, String> map = new HashMap<String, String>(4);
-		map.put("clienttime", "' + (new Date().getTime() - clientTimeVariable)/1000 +  's");
+		map.put("clienttime", "' + (new Date().getTime() - clientTimeVariable)/1000 +  's';");
 		map.put("servertime", ((double)timeTaken) / 1000 + "s");
 		return MapVariableInterpolator.interpolate(txt, map);
 	}
+
+	/**
+	 * Get CSP nonce
+	 */
+	protected String getNonce() {
+		return null;
+	}
+
 }
\ No newline at end of file
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
index 213c38b47f3..b952b94fc84 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/csp/CspApplication.java
@@ -55,15 +55,6 @@ protected void init()
 		setHeaderResponseDecorator(response -> new ResourceAggregator(
 				isCspApplicable() ? new CspNonceHeaderResponse(response, getNonce()) : response
 		));
-		// add nonce to ajax response
-		getAjaxRequestTargetListeners().add((new AjaxRequestTarget.IListener()
-		{
-			@Override
-			public void onBeforeRespond(Map<String, Component> map, AjaxRequestTarget target)
-			{
-				target.addMeta("wicket-nonce", getNonce());
-			}
-		}));
 		
 		mountPage("noncedemo", NonceDemoPage.class);
 	}
diff --git a/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java b/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java
index 5b5e6357180..641844f52cd 100644
--- a/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java
+++ b/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/api/WebSocketRequestHandler.java
@@ -154,12 +154,6 @@ public void appendJavaScript(CharSequence javascript)
 		getUpdate().appendJavaScript(javascript);
 	}
 
-	@Override
-	public void addMeta(CharSequence name, CharSequence value)
-	{
-		getUpdate().addMeta(name, value);
-	}
-
 	@Override
 	public void prependJavaScript(CharSequence javascript)
 	{