Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval
Thank for your reply, i have migrated to 2.8.2 but now i am facing new issues 1. No RPC is call happened Ex: i existing Databasecall to load the data , save data ..etc but after we apply CSP (without unsafe-inline and unsafe-eval) those are not working 2. Existing validations are not triggered ex: earlier my UI is throwing error for mandatory data but now this is not working On Thu, 7 Mar 2024 at 4:33 PM, paparao rambuddi wrote: > Thank for your reply, i have migrated to 2.8.2 but now i am facing new > issues > > 1. No RPC is call happened Ex: i existing Databasecall to load the data , > save data ..etc but after we apply CSP (without unsafe-inline and > unsafe-eval) those are not working > 2. Existing validations are not triggered ex: earlier my UI is throwing > error for mandatory data but now this is not working > > On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote: > >> The problem is not loading the nocache.js itself, but is triggered by the >> setupInstallLocation function of the nocache.js, at line 71, specifically >> the line: >> $doc.body.appendChild(scriptFrame); >> and probably due to that line: >> scriptFrame.src = $intern_10; >> because of: >> $intern_10 = 'javascript:""' >> >> This was actually fixed in 2.8.2: >> https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab, >> so you're probably using an older version. >> One workaround, as described in the comments in that file is to extend >> CrossSiteIframeLinker and override getJsInstallLocation() to return your >> own script where you'd have applied the fix. >> >> …but then things will break in installCode and __installRunAsyncCode, >> coming from >> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js >> and >> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js >> respectively. >> You'll want to replace those with modified versions (read >> CrossSiteIframeLinker to see how to override them) that will add the nonce >> to the dynamically created script (though as they're injected into the >> iframe that's been dynamicallly created in setupInstallLocation, I'm not >> sure how/which CSP applies there) >> On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com >> wrote: >> >>> Hi Team >>> Hope you are doing well >>> >>> i am using GWT version 2.8.2 >>> i am trying to apply content secure policy in GWT using script-src >>> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am >>> getting below >>> >>> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71 >>> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the >>> JavaScript URL because it violates the following Content Security Policy >>> directive: "script-src 'self' 'nonce-alldec202403040001' >>> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001' >>> 'nonce-footer-202403040001' 'nonce-menu202403040001' >>> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602' >>> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027' >>> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either >>> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce >>> ('nonce-...') is required to enable inline execution. Note that hashes do >>> not apply to event handlers, style attributes and javascript: navigations >>> unless the 'unsafe-hashes' keyword is present. >>> >>> my code logic with different approaches and none of them work for me >>> >>> >>> >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new >>> java.util.Date().getTime() %>" nonce="alldec202403040001"> >>> >>> >>> >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new >>> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001"> >>> >>> >> src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%= >>> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001"> >>> >>> >>> >> src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%= >>> "" + new java.util.Date().getTime() %>" >>> nonce="nonce-alldec202403040001"> >>> >>> i tried this as well but not working >>> >>>String scriptUrl = >>> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001" >>>ScriptInjector.fromUrl(scriptUrl) >>> .setWindow(ScriptInjector.TOP_WINDOW) >>> .inject(); >>> >>> Need your valuable inputs to achieve content secure policy in GWT using >>> script-src 'self' and object-src 'self' without unsafe-inline and >>> unsafe-eval >>> i suspect the inline java script code is not allowing to apply >>> script-src 'self' and object-src 'self' without unsafe-inline and >>> unsafe-eval >>> >>> >>> here is my AllDec.nocache.js >>> function AllDec(){ >>> var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 = >>> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec', >>> $intern_5 = 'star
Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval
Thank for your reply, i have migrated to 2.8.2 but now i am facing new issues 1. No RPC is call happened Ex: i existing Databasecall to load the data , save data ..etc but after we apply CSP (with unsafe-inline and unsafe-eval) those are not working 2. Existing validations are not triggered ex: earlier my UI is throwing error for mandatory data but now this is not working On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote: > The problem is not loading the nocache.js itself, but is triggered by the > setupInstallLocation function of the nocache.js, at line 71, specifically > the line: > $doc.body.appendChild(scriptFrame); > and probably due to that line: > scriptFrame.src = $intern_10; > because of: > $intern_10 = 'javascript:""' > > This was actually fixed in 2.8.2: > https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab, > > so you're probably using an older version. > One workaround, as described in the comments in that file is to extend > CrossSiteIframeLinker and override getJsInstallLocation() to return your > own script where you'd have applied the fix. > > …but then things will break in installCode and __installRunAsyncCode, > coming from > https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js > > and > https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js > > respectively. > You'll want to replace those with modified versions (read > CrossSiteIframeLinker to see how to override them) that will add the nonce > to the dynamically created script (though as they're injected into the > iframe that's been dynamicallly created in setupInstallLocation, I'm not > sure how/which CSP applies there) > On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com > wrote: > >> Hi Team >> Hope you are doing well >> >> i am using GWT version 2.8.2 >> i am trying to apply content secure policy in GWT using script-src >> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am >> getting below >> >> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71 >> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the >> JavaScript URL because it violates the following Content Security Policy >> directive: "script-src 'self' 'nonce-alldec202403040001' >> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001' >> 'nonce-footer-202403040001' 'nonce-menu202403040001' >> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602' >> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027' >> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either >> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce >> ('nonce-...') is required to enable inline execution. Note that hashes do >> not apply to event handlers, style attributes and javascript: navigations >> unless the 'unsafe-hashes' keyword is present. >> >> my code logic with different approaches and none of them work for me >> >> >> > src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new >> java.util.Date().getTime() %>" nonce="alldec202403040001"> >> >> >> > src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new >> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001"> >> >> > src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%= >> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001"> >> >> >> > src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%= >> >> "" + new java.util.Date().getTime() %>" >> nonce="nonce-alldec202403040001"> >> >> i tried this as well but not working >> >>String scriptUrl = >> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001" >>ScriptInjector.fromUrl(scriptUrl) >> .setWindow(ScriptInjector.TOP_WINDOW) >> .inject(); >> >> Need your valuable inputs to achieve content secure policy in GWT using >> script-src 'self' and object-src 'self' without unsafe-inline and >> unsafe-eval >> i suspect the inline java script code is not allowing to apply >> script-src 'self' and object-src 'self' without unsafe-inline and >> unsafe-eval >> >> >> here is my AllDec.nocache.js >> function AllDec(){ >> var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 = >> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec', >> $intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1, >> $intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 = >> 'position:absolute; width:0; height:0; border:none; left: -1000px;', >> $intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 = >> '', $intern_15 = '', $intern_16 = >> '<\/head><\/body><\/html>', $intern_17 = 'undefined', >> $intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script', >> $intern_21 = 'javascript', $intern_22 =