Re: GWT 2.11 – How to remove unsafe-eval and unsafe-inline CSP vulnerabilities without breaking the app

We are using a custom Linker with gwt 2.12 to be able to work with CSP.

 

The linker extends the CrossSiteIframelinker and overrides a few methods.

 

shouldInstallCode always returns false

 

getHostedFilename returns "" which disables the generation of *.devmode.js files (not needed for us)

 

getJsProcessMetas returns "com/google/gwt/core/ext/linker/impl/processMetasNull.js" since we don't use meta tag to configure the app

 

 

On Dec 3, 2025 at 08:16 +0100, Garima Jain <garimaj9837@gmail.com>, wrote:

Hi everyone,

I'm working on a GWT 2.11.0 application and trying to tighten our Content Security Policy (CSP) by removing the following insecure directives:

• unsafe-eval

• unsafe-inline

When I try removing unsafe-eval, the application starts throwing browser console errors like:

com.google.gwt.core.client.JavaScriptException: (EvalError) : Evaluating a string as JavaScript violates the following Content Security Policy directive because 'unsafe-eval' is not an allowed source of script: script-src 'self' 'unsafe-inline'".

When I then try removing unsafe-inline, I receive additional CSP errors such as:

Executing inline script violates the CSP directive 'script-src 'self' 'unsafe-eval'' A nonce or hash is required to enable inline execution. Running javascript: URL violates CSP directive

It looks like both the GWT-generated scripts and some parts of the UI rely on inline scripts and eval-like operations.
I'm trying to find out if anyone has successfully removed both:

• unsafe-eval

• unsafe-inline

in a GWT 2.11+ application without breaking functionality.

I'm looking for guidance from anyone who has successfully removed both unsafe-eval and unsafe-inline in a GWT 2.11+ application, including any known workarounds, compiler options, migration steps, or advice on handling inline scripts or eval usage in GWT to achieve strict CSP compliance.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com.

GWT 2.11 – How to remove unsafe-eval and unsafe-inline CSP vulnerabilities without breaking the app

Hi everyone,

I'm working on a GWT 2.11.0 application and trying to tighten our Content Security Policy (CSP) by removing the following insecure directives:

• unsafe-eval

• unsafe-inline

When I try removing unsafe-eval, the application starts throwing browser console errors like:

com.google.gwt.core.client.JavaScriptException: (EvalError) : Evaluating a string as JavaScript violates the following Content Security Policy directive because 'unsafe-eval' is not an allowed source of script: script-src 'self' 'unsafe-inline'".

When I then try removing unsafe-inline, I receive additional CSP errors such as:

Executing inline script violates the CSP directive 'script-src 'self' 'unsafe-eval'' A nonce or hash is required to enable inline execution. Running javascript: URL violates CSP directive

It looks like both the GWT-generated scripts and some parts of the UI rely on inline scripts and eval-like operations.
I'm trying to find out if anyone has successfully removed both:

• unsafe-eval

• unsafe-inline

in a GWT 2.11+ application without breaking functionality.

I'm looking for guidance from anyone who has successfully removed both unsafe-eval and unsafe-inline in a GWT 2.11+ application, including any known workarounds, compiler options, migration steps, or advice on handling inline scripts or eval usage in GWT to achieve strict CSP compliance.  

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com.