Friday, October 10, 2025

Re: GWT 2.10.0 Content Security Policy issue for *.nocache.js inline JS

I'm not sure what options 2-5 would have to do with loading the initial fragment, so perhaps this is a series of steps that resolves multiple, different CSP violations?

That is, step 1 should solve the nocache.js trying to append its contents - can you then share the other errors you specifically ran into, and how the fixes were applies, and what errors still remained?

Using a newer version of GWT may also serve you well here - https://github.com/gwtproject/gwt/commit/c6b8b0540b2f86304a0b9764f1499f8142aadf3d is in 2.11 and above, and handles a CSP issue with direct_install. Note that 2.12.2 is latest.

On Thursday, October 9, 2025 at 11:59:14 AM UTC-5 Santosh Rao wrote:

We are implementing CSP in our application which uses GWT 2.10.0 version. 

The scripts are using a nonce value set on the tags which the CSP script-src directive uses to verify and to allow access. 

We also have URL's which need to be whitelisted in the script-src directive. So we cannot use strict-dynamic for inline scripts.

We are using Code splitting enabled in GWT and also using xsiframe

Nothing works to implement inline JS in *nocache.js fails with this - f.appendChild(g) - Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' Either the 'unsafe-inline' keyword, a hash ('sha256-ZcEtuzld5ACAA/kdUUaWjDmI0w4iu451MSo8nEMgTRY='), or a nonce ('nonce-...') is required to enable inline execution.


Tried the below options - does not work

1. <add-linker name="direct_install" />

2. MutationObserver

3. Also tried overriding window.__installRunAsyncCode and window.__gwt_getInstallScript to append the nonce value.

4. ScriptInjector value to set the nonce.

5. CrossSiteLinkerFramework to override getJsInstallScript()

This works - But only with No code splitting

<set-configuration-property name="installCode" value="false" />

    <!--A related property that must also be configured to properly handle fragment loading -->

<set-configuration-property name="installScriptJs"

                              value="com/google/gwt/core/ext/linker/impl/installScriptDirect.js" />

Does anyone know how this can be implemented to solve the inline JS issue in GWT. 

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/2ce88ec0-6cf9-483a-b8df-6ca96ec5aec0n%40googlegroups.com.
at

No comments:

Post a Comment