Thursday, August 28, 2025

Re: How to remove/avoid unsafe-eval in GWT with CSP?

Sounds like you're hitting this:  https://github.com/gwtproject/gwt/issues/9578

On Friday, 29 August 2025 at 3:35:25 pm UTC+10 Deepali Sharma wrote:

Hi all,

I am working on a GWT application and facing issues with Content Security Policy (CSP). Currently, GWT uses eval() (or similar dynamic code execution), which means I need to allow unsafe-eval in my CSP. Without this, the page does not load at all.

This is causing repeated failures in application security scans, since unsafe-eval is considered a security risk.

  • Is there a way to remove or avoid unsafe-eval in GWT?

  • Does GWT provide a CSP-compliant compilation mode or configuration to handle this?

  • If yes, how can I enable it in my project (Maven/GWT config)?

Any guidance or best practices to make GWT work with CSP without unsafe-eval would be really helpful.

Thanks!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/8e0d4b7a-f84d-4a05-858e-988a8f931da6n%40googlegroups.com.
Posted by at No comments:

How to remove/avoid unsafe-eval in GWT with CSP?

Hi all,

I am working on a GWT application and facing issues with Content Security Policy (CSP). Currently, GWT uses eval() (or similar dynamic code execution), which means I need to allow unsafe-eval in my CSP. Without this, the page does not load at all.

This is causing repeated failures in application security scans, since unsafe-eval is considered a security risk.

  • Is there a way to remove or avoid unsafe-eval in GWT?

  • Does GWT provide a CSP-compliant compilation mode or configuration to handle this?

  • If yes, how can I enable it in my project (Maven/GWT config)?

Any guidance or best practices to make GWT work with CSP without unsafe-eval would be really helpful.

Thanks!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/006d142f-f80d-4b59-b67c-6bf3327a71d0n%40googlegroups.com.
Posted by at No comments:

Domino-ui 2.0.5 released

Domino-ui 2.0.5 have been released with many bug fixes and enhancements.
You can check the release notes here https://github.com/DominoKit/domino-ui/releases/tag/2.0.5

Demo application https://dominokit.com/domino-ui/demo/v2 have also been updated and deployed.

Enjoy!. 😀

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/1b66517f-dbdb-4462-9ec7-2ae08fbecdd1n%40googlegroups.com.
Posted by at No comments:

Tuesday, August 19, 2025

Re: Elemental2 WebRTC createOffer and createAnswer are incorrect

Following up on my own comment:  A request for a new build with updated closure externs has been made:  https://github.com/google/elemental2/issues/175

On Sunday, 20 July 2025 at 9:37:31 am UTC+10 Craig Mitchell wrote:
Now the good people at the closure-compiler have fixed the error ( https://github.com/google/closure-compiler/commit/5aadfa78592a2778ae4cac52613fb9238228b3e8 ), I see I can build a new version of Elemental2 locally ( https://github.com/google/elemental2?tab=readme-ov-file#build-gwt-compatible-maven-jar-files ).

It would be nice to get an offical Elemental2 build, and have it pushed to Maven.  It looks like one hasn't been done for 9 months, is there any offical Elemental2 release schedule?

On Tuesday, 15 July 2025 at 7:37:27 pm UTC+10 Craig Mitchell wrote:
Thanks Jens.  Bug raised:  https://github.com/google/closure-compiler/issues/4249

On Tuesday, 15 July 2025 at 6:49:06 pm UTC+10 Jens wrote:
And this works great.  But it would be nice to fix Elemental2.

You have to file an issue against closure-compiler because elemental2 takes their definition: https://github.com/google/closure-compiler/blob/15c5dd492cbb9dcdfd24d01f75b64e3e9b2291eb/externs/browser/w3c_rtc.js#L3586C23-L3586C44

-- J. 

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/6d1d255c-fd80-4285-a99c-df045e6c73f2n%40googlegroups.com.
Posted by at No comments:

Re: Elemental2 doesn't support all calls?

Thanks Thomas.

I see w3c_vibration.js in the closure-compiler:  https://github.com/google/closure-compiler/blob/master/externs/browser/w3c_vibration.js

So it looks like the Elemental2 build needs to be updated to use w3c_vibration.js.

Issue raised:  https://github.com/google/elemental2/issues/177

On Tuesday, 19 August 2025 at 10:33:03 pm UTC+10 Thomas Broyer wrote:
Elemental2 is generated from the Closure Library definitions (with some overrides), so first Closure needs to be updated to include it, then Elemental2 needs to pick up the changes (assuming they are in a file that Elemental2 looks at; so sometimes Elemental2 build needs to be updated)

On Friday, August 15, 2025 at 1:03:39 AM UTC+2 ma...@craig-mitchell.com wrote:
The opening statement of Elemental2 says "Elemental2 provides type checked access to all browser APIs for Java code."

I went to use navigator.vibrate ( https://developer.mozilla.org/en-US/docs/Web/API/Navigator/vibrate ) and found Elemental2 doesn't have it.

Does anyone know why it's not there?

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/d572e484-d79b-4011-8b6a-7a303f4c7f81n%40googlegroups.com.
Posted by at No comments:

Re: Elemental2 doesn't support all calls?

Elemental2 is generated from the Closure Library definitions (with some overrides), so first Closure needs to be updated to include it, then Elemental2 needs to pick up the changes (assuming they are in a file that Elemental2 looks at; so sometimes Elemental2 build needs to be updated)

On Friday, August 15, 2025 at 1:03:39 AM UTC+2 ma...@craig-mitchell.com wrote:
The opening statement of Elemental2 says "Elemental2 provides type checked access to all browser APIs for Java code."

I went to use navigator.vibrate ( https://developer.mozilla.org/en-US/docs/Web/API/Navigator/vibrate ) and found Elemental2 doesn't have it.

Does anyone know why it's not there?

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/01f78ff9-3730-4412-b958-ecd6b1b93712n%40googlegroups.com.
Posted by at No comments:

Thursday, August 14, 2025

Re: Elemental2 doesn't support all calls?

btw:  This isn't a big deal, as JSInterop can easily do it:

import jsinterop.annotations.JsMethod;
import jsinterop.annotations.JsPackage;
import jsinterop.annotations.JsType;

@JsType(isNative = true, namespace = JsPackage.GLOBAL)
public interface NavigatorVibrate {
  @JsMethod
  boolean vibrate(double milliseconds);
  @JsMethod
  boolean vibrate(double[] pattern);
}

NavigatorVibrate nav = Js.cast(DomGlobal.navigator);
nav.vibrate(80);

Just found it odd that this one thing (maybe others too?) is missing.

On Friday, 15 August 2025 at 9:03:39 am UTC+10 Craig Mitchell wrote:
The opening statement of Elemental2 says "Elemental2 provides type checked access to all browser APIs for Java code."

I went to use navigator.vibrate ( https://developer.mozilla.org/en-US/docs/Web/API/Navigator/vibrate ) and found Elemental2 doesn't have it.

Does anyone know why it's not there?

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/2a4ebfb2-8081-4824-bb60-a910c3567867n%40googlegroups.com.
Posted by at No comments:
Subscribe to: Posts (Atom)