Hi everyone,
Following up to check if anyone has faced a similar issue with classic GWT
and strict CSP.
The application works correctly with a nonce-based CSP and strict-dynamic,
but a CSP console error still appears during GWT code splitting (runAsync),
when split fragments (e.g., application-0.js) are executed via runtime
javascript: URLs.
Error:
*application-0.js:1835* Running the JavaScript URL violates the following
Content Security Policy directive 'script-src 'self'
'nonce-kq/FBq3JY1ktQIm9FMZoYw==' 'strict-dynamic' 'unsafe-eval''. Either
the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
('nonce-...') is required to enable inline execution. Note that hashes do
not apply to event handlers, style attributes and javascript: navigations
unless the 'unsafe-hashes' keyword is present. The action has been blocked.
If anyone has successfully resolved this CSP error (without relaxing CSP by
adding unsafe-inline), I’d really appreciate it if you could share the
approach or workaround you used.
Thanks in advance!
On Monday, 26 January 2026 at 14:23:12 UTC+5:30 Garima Jain wrote:
> Hi,
>
> I’m working on a classic GWT application and trying to apply a strict
> Content Security Policy (CSP) using a nonce generated per request.
>
> *CSP Using:*
> default-src 'self'; script-src 'self' 'nonce-<dynamic>' 'strict-dynamic'
> 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src
> 'self' data:;
>
> *What’s working:*
>
> -
>
> The app loads and runs correctly.
> -
>
> GWT is able to load its scripts dynamically.
> -
>
> The iframe now uses a safe URL (about:blank) instead of a javascript:
> URL and works with the current CSP.
> -
>
> No functional issues in the app.
>
> *What’s the problem:*
> Even though everything works, the browser console shows this error:
> Running the JavaScript URL violates the Content Security Policy directive
>
> The stack trace originates from *GWT code-splitting (runAsync)*,
> specifically during execution of split fragments (e.g., application-0.js).
> This appears to involve runtime JavaScript execution via javascript: URLs,
> which is blocked under strict CSP.
>
> *My questions:*
>
> 1.
>
> Is there a supported way in GWT to avoid this javascript: execution
> when using code splitting?
> 2.
>
> Is this console error considered a known limitation of classic GWT
> under strict CSP, and acceptable if the application works correctly?
>
> I’d like to keep CSP strict and avoid adding unsafe-inline.
>
> Thanks!
>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/google-web-toolkit/894f3f9e-3583-4f98-a9c9-7b16ac40c02cn%40googlegroups.com.
