Thank you so much for suggestions, it helped me. On Monday, September 9, 2019 at 5:09:29 PM UTC+3, Thomas Broyer wrote: > > > > On Monday, September 9, 2019 at 3:36:00 PM UTC+2, Yuriy Ostapyuk wrote: >> >> Hello. >> >> I'm struggling with GWT vs CSP problem, specifically 'unsafe-inline' >> rule. >> >> I have an application with several deferred modules, which are compiled >> and linked with 'xsiframe' or 'direct_install' linkers. And my problem is >> that linkers use ScriptTagLoadingStrategy, which uses callbacks and >> eventually appends (and then deletes) <script> tag to GWT iframe with >> inline javascript in it, which in the end violates 'unsafe-inline' rule. >> I've experimented with default linkers and found out that 'sso' >> (SingleScriptLinker) fixes the problem, but unfortunately it's not the case >> for me, as it not support several modules/fragments. >> >> So, I'm wondering maybe someone has already researched this problem or >> knows some kind of custom linker, which is using a different strategy to >> support CSP. >> >> Thank you in advance for any help or suggestion. >> > > Part of the culprit code is here: > https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java#L657-L671 > (also > https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js > ) > Most important here in the end is the TODO comment; but that means you > should be able to create your own custom linker that would override that > method (and possibly others, e.g. getJsRunAsync). > > But currently, yes, you need unsafe-inline (and/or CSP3's strict-dynamic, > and/or CSP2's hash sources –it should be possible to compute those hashes > at compile-time using a special linker; in the worst case a special > CrossSiteIframeLinker's wrapDeferredFragment override–) >
-- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/c3b073fa-8640-4862-a135-817ac1fc47c8%40googlegroups.com.
