Hi,
I’m working on a classic GWT application and trying to apply a strict
Content Security Policy (CSP) using a nonce generated per request.
*CSP Using:*
default-src 'self'; script-src 'self' 'nonce-<dynamic>' 'strict-dynamic'
'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src
'self' data:;
*What’s working:*
-
The app loads and runs correctly.
-
GWT is able to load its scripts dynamically.
-
The iframe now uses a safe URL (about:blank) instead of a javascript:
URL and works with the current CSP.
-
No functional issues in the app.
*What’s the problem:*
Even though everything works, the browser console shows this error:
Running the JavaScript URL violates the Content Security Policy directive
The stack trace originates from *GWT code-splitting (runAsync)*,
specifically during execution of split fragments (e.g., application-0.js).
This appears to involve runtime JavaScript execution via javascript: URLs,
which is blocked under strict CSP.
*My questions:*
1.
Is there a supported way in GWT to avoid this javascript: execution when
using code splitting?
2.
Is this console error considered a known limitation of classic GWT
under strict CSP, and acceptable if the application works correctly?
I’d like to keep CSP strict and avoid adding unsafe-inline.
Thanks!
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/google-web-toolkit/7201931a-1b17-4cdf-a6b4-edfd07231e9bn%40googlegroups.com.
