What am I missing here. I use CssResource and don't have "style-src unsafe-inline" anywhere, and it all works fine.
Ie:
public class ResourcesCommon {
private static final ResourcesCommonDefinitions INSTANCE = GWT.create(ResourcesCommonDefinitions.class);
public static ResourcesCommonDefinitions inst() {
return INSTANCE;
}
}
public interface ResourcesCommonDefinitions extends ClientBundle {
@Source("style.css") ResourcesCommonCSS css();
}
public interface ResourcesCommonCSS extends CssResource {
@ClassName("someStyle") String someStyle();
}
Have all the css in style.css:
.someStyle {
color: red;
}
And in the ui.xml files:
<ui:with field="resCommon" type="proj.my.ResourcesCommon" />
<div ui:field="myDiv" class="{resCommon.inst.css. someStyle }">
</div>
On Thursday 1 August 2024 at 1:11:45 pm UTC+10 Colin Alworth wrote:
It looks to me as though a separate StyleInjector implementation could be provided that no longer batches style tag creation, but instead inserts each individually. When the app is compiled, the hash for each block of CSS could be computed (...minus any runtime value interpolation), and a generated file made available to the server so that appropriate CSP headers can be set on http responses.
Creating many individual css files and loading them via <link> tags is an option too, but won't load synchronously that way, unless you hit them all at startup (which then would mean that you may load them unnecessarily).
Alternatively, a nonce could be specified and injected with each style tag - but that seems like a weaker approach in general, since it requires making the nonce available to the page's script code.
There are multiple ways of using CSS in the UIBinder, I'm not sure which one uses injectStyleSheet behind the scenes. Are you referring to using:
- The <ui:style> tag in the ui.xml files.
- Resources with CssResource and the <ui:with ...> tag in the ui.xml files.
- Or are you programmatically injecting CSS in the code.
The obvious workaround would be to put your CSS in the main index.html file, and reference it from there, however, that might not be practical for your situation.
Hello all. I am working to make our webapp compliant with our CSP, and have removed `style-src unsafe-inline`. I am working through any errors that have popped up, but one is stumping me
At runtime, it appears that GWT is injecting all the CSS from our Ui Binder files using
StyleInjectorImpl `injectStyleSheet` method.
This is violating the CSP. Is there any way around this? I'm aware that the main way to ensure CSP compliance is to use a nonce value, but due to some quirks with our setup, this is not possible.
--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/c6889143-04cb-4ca8-a907-11d408a0434fn%40googlegroups.com.