Monday, September 9, 2019

Re: GWT CSP compliance ('unsafe-inline' rule)

On Monday, September 9, 2019 at 3:36:00 PM UTC+2, Yuriy Ostapyuk wrote:

I'm struggling with GWT vs CSP problem, specifically 'unsafe-inline' rule.

I have an application with several deferred modules, which are compiled and linked with 'xsiframe' or 'direct_install' linkers. And my problem is that linkers use ScriptTagLoadingStrategy, which uses callbacks and eventually appends (and then deletes) <script> tag to GWT iframe with inline javascript in it, which in the end violates 'unsafe-inline' rule. I've experimented with default linkers and found out that 'sso' (SingleScriptLinker) fixes the problem, but unfortunately it's not the case for me, as it not support several modules/fragments.

So, I'm wondering maybe someone has already researched this problem or knows some kind of custom linker, which is using a different strategy to support CSP.

Thank you in advance for any help or suggestion.

Most important here in the end is the TODO comment; but that means you should be able to create your own custom linker that would override that method (and possibly others, e.g. getJsRunAsync).

But currently, yes, you need unsafe-inline (and/or CSP3's strict-dynamic, and/or CSP2's hash sources –it should be possible to compute those hashes at compile-time using a special linker; in the worst case a special CrossSiteIframeLinker's wrapDeferredFragment override–)

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment