We are implementing CSP in our application which uses GWT 2.10.0 version.
The scripts are using a nonce value set on the tags which the CSP script-src directive uses to verify and to allow access.
We also have URL's which need to be whitelisted in the script-src directive. So we cannot use strict-dynamic for inline scripts.
We are using Code splitting enabled in GWT and also using xsiframe
Nothing works to implement inline JS in *nocache.js fails with this - f.appendChild(g) - Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' Either the 'unsafe-inline' keyword, a hash ('sha256-ZcEtuzld5ACAA/kdUUaWjDmI0w4iu451MSo8nEMgTRY='), or a nonce ('nonce-...') is required to enable inline execution.
Tried the below options - does not work
1. <add-linker name="direct_install" />
2. MutationObserver
3. Also tried overriding window.__installRunAsyncCode and window.__gwt_getInstallScript to append the nonce value.
4. ScriptInjector value to set the nonce.
5. CrossSiteLinkerFramework to override getJsInstallScript()
This works - But only with No code splitting
<set-configuration-property name="installCode" value="false" />
<!--A related property that must also be configured to properly handle fragment loading -->
<set-configuration-property name="installScriptJs"
value="com/google/gwt/core/ext/linker/impl/installScriptDirect.js" />
Does anyone know how this can be implemented to solve the inline JS issue in GWT.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/2ce88ec0-6cf9-483a-b8df-6ca96ec5aec0n%40googlegroups.com.
No comments:
Post a Comment