Thursday, January 29, 2026

Re: Strict CSP (nonce + strict-dynamic) with GWT – CSP violation from code-splitting

I haven't faced this issue.  My GWT code splitting works fine, but maybe I haven't turned on all the content security policies.

You did ask this question before, and there was a suggestion to use a custom linker:  https://groups.google.com/g/google-web-toolkit/c/rzAAIIZxGUY/m/rDDPSDMQCAAJ

On Friday, 30 January 2026 at 4:20:11 pm UTC+11 Garima Jain wrote:
Hi everyone,

Following up to check if anyone has faced a similar issue with classic GWT and strict CSP.

The application works correctly with a nonce-based CSP and strict-dynamic, but a CSP console error still appears during GWT code splitting (runAsync), when split fragments (e.g., application-0.js) are executed via runtime javascript: URLs.

Error:
application-0.js:1835 Running the JavaScript URL violates the following Content Security Policy directive 'script-src 'self' 'nonce-kq/FBq3JY1ktQIm9FMZoYw==' 'strict-dynamic' 'unsafe-eval''. Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. The action has been blocked.

If anyone has successfully resolved this CSP error (without relaxing CSP by adding unsafe-inline), I'd really appreciate it if you could share the approach or workaround you used.

Thanks in advance!

On Monday, 26 January 2026 at 14:23:12 UTC+5:30 Garima Jain wrote:

Hi,

I'm working on a classic GWT application and trying to apply a strict Content Security Policy (CSP) using a nonce generated per request.

CSP Using:

default-src 'self'; script-src 'self' 'nonce-<dynamic>' 'strict-dynamic' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' data:;

What's working:

  • The app loads and runs correctly.

  • GWT is able to load its scripts dynamically.

  • The iframe now uses a safe URL (about:blank) instead of a javascript: URL and works with the current CSP.  

  • No functional issues in the app.

What's the problem:
Even though everything works, the browser console shows this error:

Running the JavaScript URL violates the Content Security Policy directive

The stack trace originates from GWT code-splitting (runAsync), specifically during execution of split fragments (e.g., application-0.js).
This appears to involve runtime JavaScript execution via javascript: URLs, which is blocked under strict CSP.

My questions:

  1. Is there a supported way in GWT to avoid this javascript: execution when using code splitting?

  2.   Is this console error considered a known limitation of classic GWT under strict CSP, and acceptable if the application works correctly?  

I'd like to keep CSP strict and avoid adding unsafe-inline.

Thanks!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/2a3f4ff7-c170-46b3-a3cc-e6df1f513f35n%40googlegroups.com.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)