Apologies. Didn't realise CSP isn't enabled in browsers by default.
On Friday 2 August 2024 at 11:26:55 am UTC+10 Craig Mitchell wrote:
> What am I missing here. I use CssResource and don't have "style-src
> unsafe-inline" anywhere, and it all works fine.
>
> Ie:
>
> public class ResourcesCommon {
> private static final ResourcesCommonDefinitions INSTANCE = GWT.create(
> ResourcesCommonDefinitions.class);
> public static ResourcesCommonDefinitions inst() {
> return INSTANCE;
> }
> }
>
> public interface ResourcesCommonDefinitions extends ClientBundle {
> @Source("style.css") ResourcesCommonCSS css();
> }
>
> public interface ResourcesCommonCSS extends CssResource {
> @ClassName("someStyle") String someStyle();
> }
>
> Have all the css in style.css:
>
> .someStyle {
> color: red;
> }
>
> And in the ui.xml files:
>
> <ui:with field="resCommon" type="proj.my.ResourcesCommon" />
>
> <g:HTMLPanel>
> <div ui:field="myDiv" class="{resCommon.inst.css. someStyle }">
> </div>
> </g:HTMLPanel>
>
> On Thursday 1 August 2024 at 1:11:45 pm UTC+10 Colin Alworth wrote:
>
>> After some discussion in gitter a few hours ago
>> <https://matrix.to/#/!AvXTCxQwVkniJBaCEi:gitter.im/$eQPedHE1EIVfShi8awSlne0eZG5CMP41Aa_8EQXOjRw>,
>>
>> we filed https://github.com/gwtproject/gwt/issues/9990 as a research
>> topic to look more deeply into this within GWT itself.
>>
>> It looks to me as though a separate StyleInjector implementation could be
>> provided that no longer batches style tag creation, but instead inserts
>> each individually. When the app is compiled, the hash for each block of CSS
>> could be computed (...minus any runtime value interpolation), and a
>> generated file made available to the server so that appropriate CSP headers
>> can be set on http responses.
>>
>> Creating many individual css files and loading them via <link> tags is an
>> option too, but won't load synchronously that way, unless you hit them all
>> at startup (which then would mean that you may load them unnecessarily).
>>
>> Alternatively, a nonce could be specified and injected with each style
>> tag - but that seems like a weaker approach in general, since it requires
>> making the nonce available to the page's script code.
>>
>> On Wednesday, July 31, 2024 at 8:26:57 PM UTC-5 [email protected]
>> wrote:
>>
>>> There are multiple ways of using CSS in the UIBinder, I'm not sure which
>>> one uses injectStyleSheet behind the scenes. Are you referring to using:
>>>
>>> 1. The <ui:style> tag in the ui.xml files.
>>> 2. Resources with CssResource and the <ui:with ...> tag in the
>>> ui.xml files.
>>> 3. Or are you programmatically injecting CSS in the code.
>>>
>>> The obvious workaround would be to put your CSS in the main index.html
>>> file, and reference it from there, however, that might not be practical for
>>> your situation.
>>>
>>> On Thursday 1 August 2024 at 1:42:16 am UTC+10 [email protected]
>>> wrote:
>>>
>>>> Hello all. I am working to make our webapp compliant with our CSP, and
>>>> have removed `style-src unsafe-inline`. I am working through any errors
>>>> that have popped up, but one is stumping me
>>>>
>>>> At runtime, it appears that GWT is injecting all the CSS from our Ui
>>>> Binder files using StyleInjectorImpl
>>>> <https://www.gwtproject.org/javadoc/latest/com/google/gwt/dom/client/StyleInjector.StyleInjectorImpl.html>
>>>> `injectStyleSheet`
>>>> method.
>>>>
>>>> This is violating the CSP. Is there any way around this? I'm aware that
>>>> the main way to ensure CSP compliance is to use a nonce value, but due to
>>>> some quirks with our setup, this is not possible.
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/aacc5451-fce6-406b-9742-d046b1d3f237n%40googlegroups.com.
