Sunday, February 23, 2020

Re: Veracode detected 5 XSS issues in nocache.js



On Monday, February 24, 2020 at 1:10:06 AM UTC+1, Craig Mitchell wrote:
I thought the <module>.nocache.js file just did the loading of the cache.js files, and the user didn't have much control over what went in this file.

You do have full control: you can chose the linker being used (defaults to the CrossSiteIframeLinker), or configure the behavior of the default linker (see https://github.com/gwtproject/gwt/blob/master/user/src/com/google/gwt/core/CrossSiteIframeLinker.gwt.xml to being with).
You could extend the CrossSiteIframeLinker (or DirectInstallLinker) and override some of the behavior (e.g. getJsComputeUrlForResource or getJsInstallLocation); see https://github.com/gwtproject/gwt/blob/master/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java and the *.js scripts in https://github.com/gwtproject/gwt/tree/master/dev/core/src/com/google/gwt/core/ext/linker/impl

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/e43ea87f-6f58-4eca-8516-7b6aeeff9926%40googlegroups.com.

No comments:

Post a Comment