Hello everyone,
I recently upgraded an existing GWT application to *GWT 2.12* as part of an effort to make it *CSP-compliant *and using CrossSiteIframeLinker as suggested, I wanted to specifically ask about *GXT (Ext GWT)*. Context - Application upgraded to *GWT 2.12* - Using CrossSiteIframeLinker - Strict CSP without unsafe-eval - Runtime error observed: (EvalError): Evaluating a string as JavaScript violates the following Content Security Policy directive >From investigation and stack traces, the issue appears to originate from *GXT internals*, particularly during runtime behavior. Question Do we have any *recommendations or supported approaches* to use *GXT in a CSP-compliant setup without **unsafe-eval*? Specifically: 1. Are there *CSP-safe versions of GXT* that avoid eval() entirely? 2. Are there known *configuration flags or patterns* in GXT to disable eval-based behavior? Any guidance, experience, or official direction regarding GXT and CSP would be greatly appreciated. Best regards, Garima Jain On Wednesday, 3 December 2025 at 13:58:16 UTC+5:30 David Nouls wrote: > We are using a custom Linker with gwt 2.12 to be able to work with CSP. > > The linker extends the CrossSiteIframelinker and overrides a few methods. > > shouldInstallCode always returns false > > getHostedFilename returns “” which disables the generation of *.devmode.js > files (not needed for us) > > getJsProcessMetas returns > “com/google/gwt/core/ext/linker/impl/processMetasNull.js” since we don’t > use meta tag to configure the app > > > On Dec 3, 2025 at 08:16 +0100, Garima Jain <[email protected]>, wrote: > > Hi everyone, > > I’m working on a GWT 2.11.0 application and trying to tighten our Content > Security Policy (CSP) by removing the following insecure directives: > > - > > unsafe-eval > - > > unsafe-inline > > When I try removing *unsafe-eval*, the application starts throwing > browser console errors like: > > *com.google.gwt.core.client.JavaScriptException: (EvalError) : Evaluating > a string as JavaScript violates the following Content Security Policy > directive because 'unsafe-eval' is not an allowed source of script: > script-src 'self' 'unsafe-inline'".* > > When I then try removing *unsafe-inline*, I receive additional CSP errors > such as: > > *Executing inline script violates the CSP directive 'script-src 'self' > 'unsafe-eval'' A nonce or hash is required to enable inline execution. > Running javascript: URL violates CSP directive* > > It looks like both the GWT-generated scripts and some parts of the UI rely > on inline scripts and eval-like operations. > I’m trying to find out if anyone has successfully removed *both*: > > - > > unsafe-eval > - > > unsafe-inline > > *in a GWT 2.11+ application without breaking functionality*. > > I’m looking for guidance from anyone who has successfully removed both > unsafe-eval and unsafe-inline in a GWT 2.11+ application, including any > known workarounds, compiler options, migration steps, or advice on handling > inline scripts or eval usage in GWT to achieve strict CSP compliance. > > -- > You received this message because you are subscribed to the Google Groups > "GWT Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com > > <https://groups.google.com/d/msgid/google-web-toolkit/8edc06b3-1c3b-49dc-9929-50a7c94fe7c7n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/b26c6c91-e0e5-477e-8a46-f151fba033afn%40googlegroups.com.
