We are using a custom Linker with gwt 2.12 to be able to work with CSP. The linker extends the CrossSiteIframelinker and overrides a few methods.
shouldInstallCode always returns false getHostedFilename returns “” which disables the generation of *.devmode.js files (not needed for us) getJsProcessMetas returns “com/google/gwt/core/ext/linker/impl/processMetasNull.js” since we don’t use meta tag to configure the app On Dec 3, 2025 at 08:16 +0100, Garima Jain <[email protected]>, wrote: > Hi everyone, > I’m working on a GWT 2.11.0 application and trying to tighten our Content > Security Policy (CSP) by removing the following insecure directives: > > • > unsafe-eval > • > unsafe-inline > > When I try removing unsafe-eval, the application starts throwing browser > console errors like: > com.google.gwt.core.client.JavaScriptException: (EvalError) : Evaluating a > string as JavaScript violates the following Content Security Policy directive > because 'unsafe-eval' is not an allowed source of script: script-src 'self' > 'unsafe-inline'". > When I then try removing unsafe-inline, I receive additional CSP errors such > as: > Executing inline script violates the CSP directive 'script-src 'self' > 'unsafe-eval'' A nonce or hash is required to enable inline execution. > Running javascript: URL violates CSP directive > It looks like both the GWT-generated scripts and some parts of the UI rely on > inline scripts and eval-like operations. > I’m trying to find out if anyone has successfully removed both: > > • > unsafe-eval > • > unsafe-inline > > in a GWT 2.11+ application without breaking functionality. > I’m looking for guidance from anyone who has successfully removed both > unsafe-eval and unsafe-inline in a GWT 2.11+ application, including any known > workarounds, compiler options, migration steps, or advice on handling inline > scripts or eval usage in GWT to achieve strict CSP compliance. > -- > You received this message because you are subscribed to the Google Groups > "GWT Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/cbab18bf-75a0-4735-b9a4-66e2bcd6b181%40Spark.
