We are implementing CSP in our application which uses GWT 2.10.0 version.
The scripts are using a nonce value set on the tags which the CSP
script-src directive uses to verify and to allow access.
We also have URL’s which need to be whitelisted in the script-src
directive. So we cannot use strict-dynamic for inline scripts.
We are using Code splitting enabled in GWT and also using xsiframe
Nothing works to implement inline JS in *nocache.js fails with this -
f.appendChild(g) - Refused to execute inline script because it violates the
following Content Security Policy directive: "script-src 'self' Either the
'unsafe-inline' keyword, a hash
('sha256-ZcEtuzld5ACAA/kdUUaWjDmI0w4iu451MSo8nEMgTRY='), or a nonce
('nonce-...') is required to enable inline execution.
Tried the below options - does not work
1. <add-linker name="direct_install" />
2. MutationObserver
3. Also tried overriding window.__installRunAsyncCode and
window.__gwt_getInstallScript to append the nonce value.
4. ScriptInjector value to set the nonce.
5. CrossSiteLinkerFramework to override getJsInstallScript()
This works - But only with No code splitting
<set-configuration-property name="installCode" value="false" />
<!--A related property that must also be configured to properly handle
fragment loading -->
<set-configuration-property name="installScriptJs"
value="com/google/gwt/core/ext/linker/impl/installScriptDirect.js" />
Does anyone know how this can be implemented to solve the inline JS issue
in GWT.
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/google-web-toolkit/20936525-5296-46cd-8a1f-235ea22f2ef0n%40googlegroups.com.
