Wednesday, July 31, 2024

Re: CSP issues with UiBinder

There are multiple ways of using CSS in the UIBinder, I'm not sure which one uses injectStyleSheet behind the scenes.  Are you referring to using:
  1. The <ui:style> tag in the ui.xml files.
  2. Resources with CssResource and the <ui:with ...> tag in the ui.xml files.
  3. Or are you programmatically injecting CSS in the code.
The obvious workaround would be to put your CSS in the main index.html file, and reference it from there, however, that might not be practical for your situation.

On Thursday 1 August 2024 at 1:42:16 am UTC+10 mighty...@gmail.com wrote:
Hello all. I am working to make our webapp compliant with our CSP, and have removed `style-src unsafe-inline`. I am working through any errors that have popped up, but one is stumping me

At runtime, it appears that GWT is injecting all the CSS from our Ui Binder files using StyleInjectorImpl `injectStyleSheet` method. 

This is violating the CSP. Is there any way around this? I'm aware that the main way to ensure CSP compliance is to use a nonce value, but due to some quirks with our setup, this is not possible. 

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/1a28cca6-974c-4265-b018-af95dcf52c4en%40googlegroups.com.

No comments:

Post a Comment