Hi everyone,
I’m working on a GWT 2.11.0 application and trying to tighten our Content Security Policy (CSP) by removing the following insecure directives: - unsafe-eval - unsafe-inline When I try removing *unsafe-eval*, the application starts throwing browser console errors like: *com.google.gwt.core.client.JavaScriptException: (EvalError) : Evaluating a string as JavaScript violates the following Content Security Policy directive because 'unsafe-eval' is not an allowed source of script: script-src 'self' 'unsafe-inline'".* When I then try removing *unsafe-inline*, I receive additional CSP errors such as: *Executing inline script violates the CSP directive 'script-src 'self' 'unsafe-eval'' A nonce or hash is required to enable inline execution. Running javascript: URL violates CSP directive* It looks like both the GWT-generated scripts and some parts of the UI rely on inline scripts and eval-like operations. I’m trying to find out if anyone has successfully removed *both*: - unsafe-eval - unsafe-inline *in a GWT 2.11+ application without breaking functionality*. I’m looking for guidance from anyone who has successfully removed both unsafe-eval and unsafe-inline in a GWT 2.11+ application, including any known workarounds, compiler options, migration steps, or advice on handling inline scripts or eval usage in GWT to achieve strict CSP compliance. -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com.
