Thank for your reply, i have migrated to 2.8.2 but now i am facing new issues
1. No RPC is call happened Ex: i existing Databasecall to load the data , save data ..etc but after we apply CSP (with unsafe-inline and unsafe-eval) those are not working 2. Existing validations are not triggered ex: earlier my UI is throwing error for mandatory data but now this is not working On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote: > The problem is not loading the nocache.js itself, but is triggered by the > setupInstallLocation function of the nocache.js, at line 71, specifically > the line: > $doc.body.appendChild(scriptFrame); > and probably due to that line: > scriptFrame.src = $intern_10; > because of: > $intern_10 = 'javascript:""' > > This was actually fixed in 2.8.2: > https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab, > > so you're probably using an older version. > One workaround, as described in the comments in that file is to extend > CrossSiteIframeLinker and override getJsInstallLocation() to return your > own script where you'd have applied the fix. > > …but then things will break in installCode and __installRunAsyncCode, > coming from > https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js > > and > https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js > > respectively. > You'll want to replace those with modified versions (read > CrossSiteIframeLinker to see how to override them) that will add the nonce > to the dynamically created script (though as they're injected into the > iframe that's been dynamicallly created in setupInstallLocation, I'm not > sure how/which CSP applies there) > On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 [email protected] > wrote: > >> Hi Team >> Hope you are doing well >> >> i am using GWT version 2.8.2 >> i am trying to apply content secure policy in GWT using script-src >> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am >> getting below >> >> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71 >> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the >> JavaScript URL because it violates the following Content Security Policy >> directive: "script-src 'self' 'nonce-alldec202403040001' >> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001' >> 'nonce-footer-202403040001' 'nonce-menu202403040001' >> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602' >> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027' >> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either >> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce >> ('nonce-...') is required to enable inline execution. Note that hashes do >> not apply to event handlers, style attributes and javascript: navigations >> unless the 'unsafe-hashes' keyword is present. >> >> my code logic with different approaches and none of them work for me >> >> >> <script type="text/javascript" language="javascript" >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new >> java.util.Date().getTime() %>" nonce="alldec202403040001"></script> >> >> >> <script type="text/javascript" language="javascript" >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new >> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001"></script> >> >> <script type="text/javascript" language="javascript" >> src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%= >> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001"></script> >> >> >> <script type="text/javascript" language="javascript" >> src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%= >> >> "" + new java.util.Date().getTime() %>" >> nonce="nonce-alldec202403040001"></script> >> >> i tried this as well but not working >> >> String scriptUrl = >> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001" >> ScriptInjector.fromUrl(scriptUrl) >> .setWindow(ScriptInjector.TOP_WINDOW) >> .inject(); >> >> Need your valuable inputs to achieve content secure policy in GWT using >> script-src 'self' and object-src 'self' without unsafe-inline and >> unsafe-eval >> i suspect the inline java script code is not allowing to apply >> script-src 'self' and object-src 'self' without unsafe-inline and >> unsafe-eval >> >> >> here is my AllDec.nocache.js >> function AllDec(){ >> var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 = >> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec', >> $intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1, >> $intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 = >> 'position:absolute; width:0; height:0; border:none; left: -1000px;', >> $intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 = >> '<!doctype html>', $intern_15 = '', $intern_16 = >> '<html><head><\/head><body><\/body><\/html>', $intern_17 = 'undefined', >> $intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script', >> $intern_21 = 'javascript', $intern_22 = 'Failed to load ', $intern_23 = >> 'moduleStartup', $intern_24 = 'scriptTagAdded', $intern_25 = >> 'moduleRequested', $intern_26 = 'meta', $intern_27 = 'name', $intern_28 = >> 'AllDec::', $intern_29 = '::', $intern_30 = 'gwt:property', $intern_31 = >> 'content', $intern_32 = '=', $intern_33 = 'gwt:onPropertyErrorFn', >> $intern_34 = 'Bad handler "', $intern_35 = '" for "gwt:onPropertyErrorFn"', >> $intern_36 = 'gwt:onLoadErrorFn', $intern_37 = '" for "gwt:onLoadErrorFn"', >> $intern_38 = '#', $intern_39 = '?', $intern_40 = '/', $intern_41 = 'img', >> $intern_42 = 'clear.cache.gif', $intern_43 = 'baseUrl', $intern_44 = >> 'AllDec.nocache.js', $intern_45 = 'base', $intern_46 = '//', $intern_47 = >> 'user.agent', $intern_48 = 'webkit', $intern_49 = 'safari', $intern_50 = >> 'msie', $intern_51 = 11, $intern_52 = 'ie10', $intern_53 = 9, $intern_54 = >> 'ie9', $intern_55 = 8, $intern_56 = 'ie8', $intern_57 = 'gecko', $intern_58 >> = 'gecko1_8', $intern_59 = 2, $intern_60 = 3, $intern_61 = 4, $intern_62 = >> 'selectingPermutation', $intern_63 = 'AllDec.devmode.js', $intern_64 = >> '0EF85E4190AC447E05897F96A6F99F47', $intern_65 = >> '4907B969BA14903A87055E501F608F15', $intern_66 = >> '9EE4E7BDFF866FF07E4C05A26DDA5C46', $intern_67 = >> 'CDC1ED083BDDEDA5A079F2A66A48A35D', $intern_68 = >> 'FD596E46A331AE61B689F91C1973282E', $intern_69 = ':', $intern_70 = >> '.cache.js', $intern_71 = 'link', $intern_72 = 'rel', $intern_73 = >> 'stylesheet', $intern_74 = 'href', $intern_75 = 'head', $intern_76 = >> 'loadExternalRefs', $intern_77 = 'Trw4gui.css', $intern_78 = 'end', >> $intern_79 = 'http:', $intern_80 = 'file:', $intern_81 = '_gwt_dummy_', >> $intern_82 = '__gwtDevModeHook:AllDec', $intern_83 = 'Ignoring >> non-whitelisted Dev Mode URL: ', $intern_84 = ':moduleBase'; >> var $wnd = window; >> var $doc = document; >> sendStats($intern_0, $intern_1); >> function isHostedMode(){ >> var query = $wnd.location.search; >> return query.indexOf($intern_2) != -1 || query.indexOf($intern_3) != >> -1; >> } >> >> function sendStats(evtGroupString, typeString){ >> if ($wnd.__gwtStatsEvent) { >> $wnd.__gwtStatsEvent({moduleName:$intern_4, >> sessionId:$wnd.__gwtStatsSessionId, subSystem:$intern_5, >> evtGroup:evtGroupString, millis:(new Date).getTime(), type:typeString}); >> } >> } >> >> AllDec.__sendStats = sendStats; >> AllDec.__moduleName = $intern_4; >> AllDec.__errFn = null; >> AllDec.__moduleBase = $intern_6; >> AllDec.__softPermutationId = $intern_7; >> AllDec.__computePropValue = null; >> AllDec.__getPropMap = null; >> AllDec.__installRunAsyncCode = function(){ >> } >> ; >> AllDec.__gwtStartLoadingFragment = function(){ >> return null; >> } >> ; >> AllDec.__gwt_isKnownPropertyValue = function(){ >> return false; >> } >> ; >> AllDec.__gwt_getMetaProperty = function(){ >> return null; >> } >> ; >> var __propertyErrorFunction = null; >> var activeModules = $wnd.__gwt_activeModules = $wnd.__gwt_activeModules >> || {}; >> activeModules[$intern_4] = {moduleName:$intern_4}; >> AllDec.__moduleStartupDone = function(permProps){ >> var oldBindings = activeModules[$intern_4].bindings; >> activeModules[$intern_4].bindings = function(){ >> var props = oldBindings?oldBindings():{}; >> var embeddedProps = permProps[AllDec.__softPermutationId]; >> for (var i = $intern_7; i < embeddedProps.length; i++) { >> var pair = embeddedProps[i]; >> props[pair[$intern_7]] = pair[$intern_8]; >> } >> return props; >> } >> ; >> } >> ; >> var frameDoc; >> function getInstallLocationDoc(){ >> setupInstallLocation(); >> return frameDoc; >> } >> >> function setupInstallLocation(){ >> if (frameDoc) { >> return; >> } >> var scriptFrame = $doc.createElement($intern_9); >> scriptFrame.src = $intern_10; >> scriptFrame.id = $intern_4; >> scriptFrame.style.cssText = $intern_11 + $intern_12; >> scriptFrame.tabIndex = -1; >> $doc.body.appendChild(scriptFrame); >> frameDoc = scriptFrame.contentDocument; >> if (!frameDoc) { >> frameDoc = scriptFrame.contentWindow.document; >> } >> frameDoc.open(); >> var doctype = document.compatMode == $intern_13?$intern_14:$intern_15; >> frameDoc.write(doctype + $intern_16); >> frameDoc.close(); >> } >> >> function installScript(filename){ >> function setupWaitForBodyLoad(callback){ >> function isBodyLoaded(){ >> if (typeof $doc.readyState == $intern_17) { >> return typeof $doc.body != $intern_17 && $doc.body != null; >> } >> return /loaded|complete/.test($doc.readyState); >> } >> >> var bodyDone = isBodyLoaded(); >> if (bodyDone) { >> callback(); >> return; >> } >> function checkBodyDone(){ >> if (!bodyDone) { >> if (!isBodyLoaded()) { >> return; >> } >> bodyDone = true; >> callback(); >> if ($doc.removeEventListener) { >> $doc.removeEventListener($intern_18, checkBodyDone, false); >> } >> if (onBodyDoneTimerId) { >> clearInterval(onBodyDoneTimerId); >> } >> } >> } >> >> if ($doc.addEventListener) { >> $doc.addEventListener($intern_18, checkBodyDone, false); >> } >> var onBodyDoneTimerId = setInterval(function(){ >> checkBodyDone(); >> } >> , $intern_19); >> } >> >> function installCode(code_0){ >> var doc = getInstallLocationDoc(); >> var docbody = doc.body; >> var script = doc.createElement($intern_20); >> script.language = $intern_21; >> script.src = code_0; >> if (AllDec.__errFn) { >> script.onerror = function(){ >> AllDec.__errFn($intern_4, new Error($intern_22 + code_0)); >> } >> ; >> } >> docbody.appendChild(script); >> sendStats($intern_23, $intern_24); >> } >> >> sendStats($intern_23, $intern_25); >> setupWaitForBodyLoad(function(){ >> installCode(filename); >> } >> ); >> } >> >> AllDec.__startLoadingFragment = function(fragmentFile){ >> return computeUrlForResource(fragmentFile); >> } >> ; >> AllDec.__installRunAsyncCode = function(code_0){ >> var doc = getInstallLocationDoc(); >> var docbody = doc.body; >> var script = doc.createElement($intern_20); >> script.language = $intern_21; >> script.text = code_0; >> docbody.appendChild(script); >> } >> ; >> function processMetas(){ >> var metaProps = {}; >> var propertyErrorFunc; >> var onLoadErrorFunc; >> var metas = $doc.getElementsByTagName($intern_26); >> for (var i = $intern_7, n = metas.length; i < n; ++i) { >> var meta = metas[i], name_0 = meta.getAttribute($intern_27), >> content; >> if (name_0) { >> name_0 = name_0.replace($intern_28, $intern_15); >> if (name_0.indexOf($intern_29) >= $intern_7) { >> continue; >> } >> if (name_0 == $intern_30) { >> content = meta.getAttribute($intern_31); >> if (content) { >> var value_0, eq = content.indexOf($intern_32); >> if (eq >= $intern_7) { >> name_0 = content.substring($intern_7, eq); >> value_0 = content.substring(eq + $intern_8); >> } >> else { >> name_0 = content; >> value_0 = $intern_15; >> } >> metaProps[name_0] = value_0; >> } >> } >> else if (name_0 == $intern_33) { >> content = meta.getAttribute($intern_31); >> if (content) { >> try { >> propertyErrorFunc = eval(content); >> } >> catch (e) { >> alert($intern_34 + content + $intern_35); >> } >> } >> } >> else if (name_0 == $intern_36) { >> content = meta.getAttribute($intern_31); >> if (content) { >> try { >> onLoadErrorFunc = eval(content); >> } >> catch (e) { >> alert($intern_34 + content + $intern_37); >> } >> } >> } >> } >> } >> __gwt_getMetaProperty = function(name_0){ >> var value_0 = metaProps[name_0]; >> return value_0 == null?null:value_0; >> } >> ; >> __propertyErrorFunction = propertyErrorFunc; >> AllDec.__errFn = onLoadErrorFunc; >> } >> >> function computeScriptBase(){ >> function getDirectoryOfFile(path){ >> var hashIndex = path.lastIndexOf($intern_38); >> if (hashIndex == -1) { >> hashIndex = path.length; >> } >> var queryIndex = path.indexOf($intern_39); >> if (queryIndex == -1) { >> queryIndex = path.length; >> } >> var slashIndex = path.lastIndexOf($intern_40, Math.min(queryIndex, >> hashIndex)); >> return slashIndex >= $intern_7?path.substring($intern_7, slashIndex >> + $intern_8):$intern_15; >> } >> >> function ensureAbsoluteUrl(url_0){ >> if (url_0.match(/^\w+:\/\//)) { >> } >> else { >> var img = $doc.createElement($intern_41); >> img.src = url_0 + $intern_42; >> url_0 = getDirectoryOfFile(img.src); >> } >> return url_0; >> } >> >> function tryMetaTag(){ >> var metaVal = __gwt_getMetaProperty($intern_43); >> if (metaVal != null) { >> return metaVal; >> } >> return $intern_15; >> } >> >> function tryNocacheJsTag(){ >> var scriptTags = $doc.getElementsByTagName($intern_20); >> for (var i = $intern_7; i < scriptTags.length; ++i) { >> if (scriptTags[i].src.indexOf($intern_44) != -1) { >> return getDirectoryOfFile(scriptTags[i].src); >> } >> } >> return $intern_15; >> } >> >> function tryBaseTag(){ >> var baseElements = $doc.getElementsByTagName($intern_45); >> if (baseElements.length > $intern_7) { >> return baseElements[baseElements.length - $intern_8].href; >> } >> return $intern_15; >> } >> >> function isLocationOk(){ >> var loc = $doc.location; >> return loc.href == loc.protocol + $intern_46 + loc.host + >> loc.pathname + loc.search + loc.hash; >> } >> >> var tempBase = tryMetaTag(); >> if (tempBase == $intern_15) { >> tempBase = tryNocacheJsTag(); >> } >> if (tempBase == $intern_15) { >> tempBase = tryBaseTag(); >> } >> if (tempBase == $intern_15 && isLocationOk()) { >> tempBase = getDirectoryOfFile($doc.location.href); >> } >> tempBase = ensureAbsoluteUrl(tempBase); >> return tempBase; >> } >> >> function computeUrlForResource(resource){ >> if (resource.match(/^\//)) { >> return resource; >> } >> if (resource.match(/^[a-zA-Z]+:\/\//)) { >> return resource; >> } >> return AllDec.__moduleBase + resource; >> } >> >> function getCompiledCodeFilename(){ >> var answers = []; >> var softPermutationId = $intern_7; >> function unflattenKeylistIntoAnswers(propValArray, value_0){ >> var answer = answers; >> for (var i = $intern_7, n = propValArray.length - $intern_8; i < n; >> ++i) { >> answer = answer[propValArray[i]] || (answer[propValArray[i]] = >> []); >> } >> answer[propValArray[n]] = value_0; >> } >> >> var values = []; >> var providers = []; >> function computePropValue(propName){ >> var value_0 = providers[propName](), allowedValuesMap = >> values[propName]; >> if (value_0 in allowedValuesMap) { >> return value_0; >> } >> var allowedValuesList = []; >> for (var k in allowedValuesMap) { >> allowedValuesList[allowedValuesMap[k]] = k; >> } >> if (__propertyErrorFunction) { >> __propertyErrorFunction(propName, allowedValuesList, value_0); >> } >> throw null; >> } >> >> providers[$intern_47] = function(){ >> var ua = navigator.userAgent.toLowerCase(); >> var docMode = $doc.documentMode; >> if (function(){ >> return ua.indexOf($intern_48) != -1; >> } >> ()) >> return $intern_49; >> if (function(){ >> return ua.indexOf($intern_50) != -1 && (docMode >= $intern_19 && >> docMode < $intern_51); >> } >> ()) >> return $intern_52; >> if (function(){ >> return ua.indexOf($intern_50) != -1 && (docMode >= $intern_53 && >> docMode < $intern_51); >> } >> ()) >> return $intern_54; >> if (function(){ >> return ua.indexOf($intern_50) != -1 && (docMode >= $intern_55 && >> docMode < $intern_51); >> } >> ()) >> return $intern_56; >> if (function(){ >> return ua.indexOf($intern_57) != -1 || docMode >= $intern_51; >> } >> ()) >> return $intern_58; >> return $intern_15; >> } >> ; >> values[$intern_47] = {'gecko1_8':$intern_7, 'ie10':$intern_8, >> 'ie8':$intern_59, 'ie9':$intern_60, 'safari':$intern_61}; >> __gwt_isKnownPropertyValue = function(propName, propValue){ >> return propValue in values[propName]; >> } >> ; >> AllDec.__getPropMap = function(){ >> var result = {}; >> for (var key in values) { >> if (values.hasOwnProperty(key)) { >> result[key] = computePropValue(key); >> } >> } >> return result; >> } >> ; >> AllDec.__computePropValue = computePropValue; >> $wnd.__gwt_activeModules[$intern_4].bindings = AllDec.__getPropMap; >> sendStats($intern_0, $intern_62); >> if (isHostedMode()) { >> return computeUrlForResource($intern_63); >> } >> var strongName; >> try { >> unflattenKeylistIntoAnswers([$intern_56], $intern_64); >> unflattenKeylistIntoAnswers([$intern_52], $intern_65); >> unflattenKeylistIntoAnswers([$intern_54], $intern_66); >> unflattenKeylistIntoAnswers([$intern_58], $intern_67); >> unflattenKeylistIntoAnswers([$intern_49], $intern_68); >> strongName = answers[computePropValue($intern_47)]; >> var idx = strongName.indexOf($intern_69); >> if (idx != -1) { >> softPermutationId = parseInt(strongName.substring(idx + >> $intern_8), $intern_19); >> strongName = strongName.substring($intern_7, idx); >> } >> } >> catch (e) { >> } >> AllDec.__softPermutationId = softPermutationId; >> return computeUrlForResource(strongName + $intern_70); >> } >> >> function loadExternalStylesheets(){ >> if (!$wnd.__gwt_stylesLoaded) { >> $wnd.__gwt_stylesLoaded = {}; >> } >> function installOneStylesheet(stylesheetUrl){ >> if (!__gwt_stylesLoaded[stylesheetUrl]) { >> var l = $doc.createElement($intern_71); >> l.setAttribute($intern_72, $intern_73); >> l.setAttribute($intern_74, computeUrlForResource(stylesheetUrl)); >> $doc.getElementsByTagName($intern_75)[$intern_7].appendChild(l); >> __gwt_stylesLoaded[stylesheetUrl] = true; >> } >> } >> >> sendStats($intern_76, $intern_1); >> installOneStylesheet($intern_77); >> sendStats($intern_76, $intern_78); >> } >> >> processMetas(); >> AllDec.__moduleBase = computeScriptBase(); >> activeModules[$intern_4].moduleBase = AllDec.__moduleBase; >> var filename = getCompiledCodeFilename(); >> if ($wnd) { >> var devModePermitted = !!($wnd.location.protocol == $intern_79 || >> $wnd.location.protocol == $intern_80); >> $wnd.__gwt_activeModules[$intern_4].canRedirect = devModePermitted; >> function supportsSessionStorage(){ >> var key = $intern_81; >> try { >> $wnd.sessionStorage.setItem(key, key); >> $wnd.sessionStorage.removeItem(key); >> return true; >> } >> catch (e) { >> return false; >> } >> } >> >> if (devModePermitted && supportsSessionStorage()) { >> var devModeKey = $intern_82; >> var devModeUrl = $wnd.sessionStorage[devModeKey]; >> if >> (!/^http:\/\/(localhost|127\.0\.0\.1)(:\d+)?\/.*$/.test(devModeUrl)) { >> if (devModeUrl && (window.console && console.log)) { >> console.log($intern_83 + devModeUrl); >> } >> devModeUrl = $intern_15; >> } >> if (devModeUrl && !$wnd[devModeKey]) { >> $wnd[devModeKey] = true; >> $wnd[devModeKey + $intern_84] = computeScriptBase(); >> var devModeScript = $doc.createElement($intern_20); >> devModeScript.src = devModeUrl; >> var head = $doc.getElementsByTagName($intern_75)[$intern_7]; >> head.insertBefore(devModeScript, head.firstElementChild || >> head.children[$intern_7]); >> return false; >> } >> } >> } >> loadExternalStylesheets(); >> sendStats($intern_0, $intern_78); >> installScript(filename); >> return true; >> } >> >> AllDec.succeeded = AllDec(); >> >> -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/ef025b50-c9fd-41b3-b359-f077f5dc7134n%40googlegroups.com.
