Strict CSP (nonce + strict-dynamic) with GWT – CSP violation from code-splitting

Hi,

I'm working on a classic GWT application and trying to apply a strict Content Security Policy (CSP) using a nonce generated per request.

CSP Using:

default-src 'self'; script-src 'self' 'nonce-<dynamic>' 'strict-dynamic' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' data:;

What's working:

• The app loads and runs correctly.

• GWT is able to load its scripts dynamically.

• The iframe now uses a safe URL (about:blank) instead of a javascript: URL and works with the current CSP.  

• No functional issues in the app.

What's the problem:
Even though everything works, the browser console shows this error:

Running the JavaScript URL violates the Content Security Policy directive

The stack trace originates from GWT code-splitting (runAsync), specifically during execution of split fragments (e.g., application-0.js).
This appears to involve runtime JavaScript execution via javascript: URLs, which is blocked under strict CSP.

My questions:

1. Is there a supported way in GWT to avoid this javascript: execution when using code splitting?

2.   Is this console error considered a known limitation of classic GWT under strict CSP, and acceptable if the application works correctly?  

I'd like to keep CSP strict and avoid adding unsafe-inline.

Thanks!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/7201931a-1b17-4cdf-a6b4-edfd07231e9bn%40googlegroups.com.