Monday, September 9, 2019

GWT CSP compliance ('unsafe-inline' rule)


I'm struggling with GWT vs CSP problem, specifically 'unsafe-inline' rule.

I have an application with several deferred modules, which are compiled and linked with 'xsiframe' or 'direct_install' linkers. And my problem is that linkers use ScriptTagLoadingStrategy, which uses callbacks and eventually appends (and then deletes) <script> tag to GWT iframe with inline javascript in it, which in the end violates 'unsafe-inline' rule. I've experimented with default linkers and found out that 'sso' (SingleScriptLinker) fixes the problem, but unfortunately it's not the case for me, as it not support several modules/fragments.

So, I'm wondering maybe someone has already researched this problem or knows some kind of custom linker, which is using a different strategy to support CSP.

Thank you in advance for any help or suggestion.


You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment