papegaaij
diff --git a/‎wicket-core/src/main/java/org/apache/wicket/protocol/http/DefaultResourceIsolationPolicy.java
+7-4 b/‎wicket-core/src/main/java/org/apache/wicket/protocol/http/DefaultResourceIsolationPolicy.java
+7-4
@@ -34,24 +34,27 @@ public class DefaultResourceIsolationPolicy implements ResourceIsolationPolicy
 {
 
 	@Override
-	public boolean isRequestAllowed(HttpServletRequest request, IRequestablePage targetPage)
+	public ResourceIsolationOutcome isRequestAllowed(HttpServletRequest request,
+		IRequestablePage targetPage)
 	{
 		// request made by a legacy browser with no support for Fetch Metadata
 		if (!hasFetchMetadataHeaders(request))
 		{
-			return true;
+			return ResourceIsolationOutcome.UNKNOWN;
 		}
 
 		String site = request.getHeader(SEC_FETCH_SITE_HEADER);
 
 		// Allow same-site and browser-initiated requests
 		if (SAME_ORIGIN.equals(site) || SAME_SITE.equals(site) || NONE.equals(site))
 		{
-			return true;
+			return ResourceIsolationOutcome.ALLOWED;
 		}
 
 		// Allow simple top-level navigations except <object> and <embed>
-		return isAllowedTopLevelNavigation(request);
+		return isAllowedTopLevelNavigation(request)
+			? ResourceIsolationOutcome.ALLOWED
+			: ResourceIsolationOutcome.DISALLOWED;
 	}
 
 	private boolean isAllowedTopLevelNavigation(HttpServletRequest request)
Original file line number	Diff line number	Diff line change
`@@ -34,24 +34,27 @@ public class DefaultResourceIsolationPolicy implements ResourceIsolationPolicy`
`34`	`34`	`{`
`35`	`35`
`36`	`36`	`@Override`
`37`		`- public boolean isRequestAllowed(HttpServletRequest request, IRequestablePage targetPage)`
	`37`	`+ public ResourceIsolationOutcome isRequestAllowed(HttpServletRequest request,`
	`38`	`+ IRequestablePage targetPage)`
`38`	`39`	`{`
`39`	`40`	`// request made by a legacy browser with no support for Fetch Metadata`
`40`	`41`	`if (!hasFetchMetadataHeaders(request))`
`41`	`42`	`{`
`42`		`- return true;`
	`43`	`+ return ResourceIsolationOutcome.UNKNOWN;`
`43`	`44`	`}`
`44`	`45`
`45`	`46`	`String site = request.getHeader(SEC_FETCH_SITE_HEADER);`
`46`	`47`
`47`	`48`	`// Allow same-site and browser-initiated requests`
`48`	`49`	`if (SAME_ORIGIN.equals(site) \|\| SAME_SITE.equals(site) \|\| NONE.equals(site))`
`49`	`50`	`{`
`50`		`- return true;`
	`51`	`+ return ResourceIsolationOutcome.ALLOWED;`
`51`	`52`	`}`
`52`	`53`
`53`	`54`	`// Allow simple top-level navigations except <object> and <embed>`
`54`		`- return isAllowedTopLevelNavigation(request);`
	`55`	`+ return isAllowedTopLevelNavigation(request)`
	`56`	`+ ? ResourceIsolationOutcome.ALLOWED`
	`57`	`+ : ResourceIsolationOutcome.DISALLOWED;`
`55`	`58`	`}`
`56`	`59`
`57`	`60`	`private boolean isAllowedTopLevelNavigation(HttpServletRequest request)`