On Monday, September 9, 2019 at 3:36:00 PM UTC+2, Yuriy Ostapyuk wrote: > > Hello. > > I'm struggling with GWT vs CSP problem, specifically 'unsafe-inline' rule. > > I have an application with several deferred modules, which are compiled > and linked with 'xsiframe' or 'direct_install' linkers. And my problem is > that linkers use ScriptTagLoadingStrategy, which uses callbacks and > eventually appends (and then deletes) <script> tag to GWT iframe with > inline javascript in it, which in the end violates 'unsafe-inline' rule. > I've experimented with default linkers and found out that 'sso' > (SingleScriptLinker) fixes the problem, but unfortunately it's not the case > for me, as it not support several modules/fragments. > > So, I'm wondering maybe someone has already researched this problem or > knows some kind of custom linker, which is using a different strategy to > support CSP. > > Thank you in advance for any help or suggestion. >
Part of the culprit code is here: https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java#L657-L671 (also https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js ) Most important here in the end is the TODO comment; but that means you should be able to create your own custom linker that would override that method (and possibly others, e.g. getJsRunAsync). But currently, yes, you need unsafe-inline (and/or CSP3's strict-dynamic, and/or CSP2's hash sources –it should be possible to compute those hashes at compile-time using a special linker; in the worst case a special CrossSiteIframeLinker's wrapDeferredFragment override–) -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/8e747e70-38d5-4908-bd04-60ddc1aab61d%40googlegroups.com.
