Friday, November 29, 2019

Adding u2f to js.identifier.blacklist

The obfuscator does not have "u2f" as a blacklisted identifier. In conjunction with a Firefox that now (>=67) has U2F enabled by default (see about:config, security.webauth.u2f) the identifier "window.u2f" is made available. When the obfuscator uses u2f as an output symbol, weird things can happen, such as properties that are expected to be found on the object bound to the obfuscated "u2f" identifier not being found because u2f points to the U2F object and not the application object.

In our project we work around this by adding

   <extend-configuration-property name="js.identifier.blacklist" value="u2f"/>

to a base module that all our modules inherit. I think this should become part of the standard as it is error prone and incredibly time-consuming to figure out the root cause of the errors that can result.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment