Hello everyone,
I recently upgraded an existing GWT application to GWT 2.12 as part of an effort to make it CSP-compliant and using CrossSiteIframeLinker as suggested, I wanted to specifically ask about GXT (Ext GWT).
ContextApplication upgraded to GWT 2.12
Using CrossSiteIframeLinker
Strict CSP without unsafe-eval
Runtime error observed:
(EvalError): Evaluating a string as JavaScript violates the following Content Security Policy directive
From investigation and stack traces, the issue appears to originate from GXT internals, particularly during runtime behavior.
QuestionDo we have any recommendations or supported approaches to use GXT in a CSP-compliant setup without unsafe-eval?
Specifically:
Are there CSP-safe versions of GXT that avoid eval() entirely?
Are there known configuration flags or patterns in GXT to disable eval-based behavior?
Any guidance, experience, or official direction regarding GXT and CSP would be greatly appreciated.
Best regards,
Garima Jain
We are using a custom Linker with gwt 2.12 to be able to work with CSP.The linker extends the CrossSiteIframelinker and overrides a few methods.shouldInstallCode always returns falsegetHostedFilename returns "" which disables the generation of *.devmode.js files (not needed for us)getJsProcessMetas returns "com/google/gwt/core/ext/linker/impl/processMetasNull.js" since we don't use meta tag to configure the appOn Dec 3, 2025 at 08:16 +0100, Garima Jain <garim...@gmail.com>, wrote:
Hi everyone,
I'm working on a GWT 2.11.0 application and trying to tighten our Content Security Policy (CSP) by removing the following insecure directives:
unsafe-eval
unsafe-inline
When I try removing unsafe-eval, the application starts throwing browser console errors like:
com.google.gwt.core.client.JavaScriptException: (EvalError) : Evaluating a string as JavaScript violates the following Content Security Policy directive because 'unsafe-eval' is not an allowed source of script: script-src 'self' 'unsafe-inline'".
When I then try removing unsafe-inline, I receive additional CSP errors such as:
Executing inline script violates the CSP directive 'script-src 'self' 'unsafe-eval'' A nonce or hash is required to enable inline execution. Running javascript: URL violates CSP directiveIt looks like both the GWT-generated scripts and some parts of the UI rely on inline scripts and eval-like operations.
I'm trying to find out if anyone has successfully removed both:
unsafe-eval
unsafe-inline
in a GWT 2.11+ application without breaking functionality.
I'm looking for guidance from anyone who has successfully removed both unsafe-eval and unsafe-inline in a GWT 2.11+ application, including any known workarounds, compiler options, migration steps, or advice on handling inline scripts or eval usage in GWT to achieve strict CSP compliance.
--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-tool...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/b26c6c91-e0e5-477e-8a46-f151fba033afn%40googlegroups.com.
No comments:
Post a Comment