Hello Yuriy, would you please share how you solved the issue. On Tuesday, September 10, 2019 at 1:33:13 PM UTC+3 Yuriy Ostapyuk wrote:
> Thank you so much for suggestions, it helped me. > > > On Monday, September 9, 2019 at 5:09:29 PM UTC+3, Thomas Broyer wrote: >> >> >> >> On Monday, September 9, 2019 at 3:36:00 PM UTC+2, Yuriy Ostapyuk wrote: >>> >>> Hello. >>> >>> I'm struggling with GWT vs CSP problem, specifically 'unsafe-inline' >>> rule. >>> >>> I have an application with several deferred modules, which are compiled >>> and linked with 'xsiframe' or 'direct_install' linkers. And my problem is >>> that linkers use ScriptTagLoadingStrategy, which uses callbacks and >>> eventually appends (and then deletes) <script> tag to GWT iframe with >>> inline javascript in it, which in the end violates 'unsafe-inline' rule. >>> I've experimented with default linkers and found out that 'sso' >>> (SingleScriptLinker) fixes the problem, but unfortunately it's not the case >>> for me, as it not support several modules/fragments. >>> >>> So, I'm wondering maybe someone has already researched this problem or >>> knows some kind of custom linker, which is using a different strategy to >>> support CSP. >>> >>> Thank you in advance for any help or suggestion. >>> >> >> Part of the culprit code is here: >> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java#L657-L671 >> (also >> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js >> ) >> Most important here in the end is the TODO comment; but that means you >> should be able to create your own custom linker that would override that >> method (and possibly others, e.g. getJsRunAsync). >> >> But currently, yes, you need unsafe-inline (and/or CSP3's strict-dynamic, >> and/or CSP2's hash sources –it should be possible to compute those hashes >> at compile-time using a special linker; in the worst case a special >> CrossSiteIframeLinker's wrapDeferredFragment override–) >> > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/57ed4d9f-44ad-46ac-a852-ebeea9d605e2n%40googlegroups.com.
