After some discussion in gitter a few hours ago, we filed https://github.com/gwtproject/gwt/issues/9990 as a research topic to look more deeply into this within GWT itself.
It looks to me as though a separate StyleInjector implementation could be provided that no longer batches style tag creation, but instead inserts each individually. When the app is compiled, the hash for each block of CSS could be computed (...minus any runtime value interpolation), and a generated file made available to the server so that appropriate CSP headers can be set on http responses.
Creating many individual css files and loading them via <link> tags is an option too, but won't load synchronously that way, unless you hit them all at startup (which then would mean that you may load them unnecessarily).
Alternatively, a nonce could be specified and injected with each style tag - but that seems like a weaker approach in general, since it requires making the nonce available to the page's script code.
On Wednesday, July 31, 2024 at 8:26:57 PM UTC-5 ma...@craig-mitchell.com wrote:
There are multiple ways of using CSS in the UIBinder, I'm not sure which one uses injectStyleSheet behind the scenes. Are you referring to using:
- The <ui:style> tag in the ui.xml files.
- Resources with CssResource and the <ui:with ...> tag in the ui.xml files.
- Or are you programmatically injecting CSS in the code.
The obvious workaround would be to put your CSS in the main index.html file, and reference it from there, however, that might not be practical for your situation.On Thursday 1 August 2024 at 1:42:16 am UTC+10 mighty...@gmail.com wrote:Hello all. I am working to make our webapp compliant with our CSP, and have removed `style-src unsafe-inline`. I am working through any errors that have popped up, but one is stumping meAt runtime, it appears that GWT is injecting all the CSS from our Ui Binder files using StyleInjectorImpl `injectStyleSheet` method.This is violating the CSP. Is there any way around this? I'm aware that the main way to ensure CSP compliance is to use a nonce value, but due to some quirks with our setup, this is not possible.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/830b1bc0-0bc7-440f-a39f-c392a11abe1dn%40googlegroups.com.
No comments:
Post a Comment