Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval
Thank for your reply, i have migrated to 2.8.2 but now i am facing new
issues
1. No RPC is call happened Ex: i existing Databasecall to load the data ,
save data ..etc but after we apply CSP (without unsafe-inline and
unsafe-eval) those are not working
2. Existing validations are not triggered ex: earlier my UI is throwing
error for mandatory data but now this is not working
On Thu, 7 Mar 2024 at 4:33 PM, paparao rambuddi
wrote:
> Thank for your reply, i have migrated to 2.8.2 but now i am facing new
> issues
>
> 1. No RPC is call happened Ex: i existing Databasecall to load the data ,
> save data ..etc but after we apply CSP (without unsafe-inline and
> unsafe-eval) those are not working
> 2. Existing validations are not triggered ex: earlier my UI is throwing
> error for mandatory data but now this is not working
>
> On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote:
>
>> The problem is not loading the nocache.js itself, but is triggered by the
>> setupInstallLocation function of the nocache.js, at line 71, specifically
>> the line:
>> $doc.body.appendChild(scriptFrame);
>> and probably due to that line:
>> scriptFrame.src = $intern_10;
>> because of:
>> $intern_10 = 'javascript:""'
>>
>> This was actually fixed in 2.8.2:
>> https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab,
>> so you're probably using an older version.
>> One workaround, as described in the comments in that file is to extend
>> CrossSiteIframeLinker and override getJsInstallLocation() to return your
>> own script where you'd have applied the fix.
>>
>> …but then things will break in installCode and __installRunAsyncCode,
>> coming from
>> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js
>> and
>> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js
>> respectively.
>> You'll want to replace those with modified versions (read
>> CrossSiteIframeLinker to see how to override them) that will add the nonce
>> to the dynamically created script (though as they're injected into the
>> iframe that's been dynamicallly created in setupInstallLocation, I'm not
>> sure how/which CSP applies there)
>> On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com
>> wrote:
>>
>>> Hi Team
>>> Hope you are doing well
>>>
>>> i am using GWT version 2.8.2
>>> i am trying to apply content secure policy in GWT using script-src
>>> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am
>>> getting below
>>>
>>> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
>>> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the
>>> JavaScript URL because it violates the following Content Security Policy
>>> directive: "script-src 'self' 'nonce-alldec202403040001'
>>> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001'
>>> 'nonce-footer-202403040001' 'nonce-menu202403040001'
>>> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602'
>>> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027'
>>> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either
>>> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
>>> ('nonce-...') is required to enable inline execution. Note that hashes do
>>> not apply to event handlers, style attributes and javascript: navigations
>>> unless the 'unsafe-hashes' keyword is present.
>>>
>>> my code logic with different approaches and none of them work for me
>>>
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
>>> java.util.Date().getTime() %>" nonce="alldec202403040001">
>>>
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
>>> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001">
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%=
>>> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001">
>>>
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%=
>>> "" + new java.util.Date().getTime() %>"
>>> nonce="nonce-alldec202403040001">
>>>
>>> i tried this as well but not working
>>>
>>>String scriptUrl =
>>> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
>>>ScriptInjector.fromUrl(scriptUrl)
>>> .setWindow(ScriptInjector.TOP_WINDOW)
>>> .inject();
>>>
>>> Need your valuable inputs to achieve content secure policy in GWT using
>>> script-src 'self' and object-src 'self' without unsafe-inline and
>>> unsafe-eval
>>> i suspect the inline java script code is not allowing to apply
>>> script-src 'self' and object-src 'self' without unsafe-inline and
>>> unsafe-eval
>>>
>>>
>>> here is my AllDec.nocache.js
>>> function AllDec(){
>>> var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 =
>>> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec',
>>> $intern_5 = 'star
Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval
Thank for your reply, i have migrated to 2.8.2 but now i am facing new
issues
1. No RPC is call happened Ex: i existing Databasecall to load the data ,
save data ..etc but after we apply CSP (with unsafe-inline and unsafe-eval)
those are not working
2. Existing validations are not triggered ex: earlier my UI is throwing
error for mandatory data but now this is not working
On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote:
> The problem is not loading the nocache.js itself, but is triggered by the
> setupInstallLocation function of the nocache.js, at line 71, specifically
> the line:
> $doc.body.appendChild(scriptFrame);
> and probably due to that line:
> scriptFrame.src = $intern_10;
> because of:
> $intern_10 = 'javascript:""'
>
> This was actually fixed in 2.8.2:
> https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab,
>
> so you're probably using an older version.
> One workaround, as described in the comments in that file is to extend
> CrossSiteIframeLinker and override getJsInstallLocation() to return your
> own script where you'd have applied the fix.
>
> …but then things will break in installCode and __installRunAsyncCode,
> coming from
> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js
>
> and
> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js
>
> respectively.
> You'll want to replace those with modified versions (read
> CrossSiteIframeLinker to see how to override them) that will add the nonce
> to the dynamically created script (though as they're injected into the
> iframe that's been dynamicallly created in setupInstallLocation, I'm not
> sure how/which CSP applies there)
> On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com
> wrote:
>
>> Hi Team
>> Hope you are doing well
>>
>> i am using GWT version 2.8.2
>> i am trying to apply content secure policy in GWT using script-src
>> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am
>> getting below
>>
>> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
>> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the
>> JavaScript URL because it violates the following Content Security Policy
>> directive: "script-src 'self' 'nonce-alldec202403040001'
>> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001'
>> 'nonce-footer-202403040001' 'nonce-menu202403040001'
>> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602'
>> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027'
>> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either
>> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
>> ('nonce-...') is required to enable inline execution. Note that hashes do
>> not apply to event handlers, style attributes and javascript: navigations
>> unless the 'unsafe-hashes' keyword is present.
>>
>> my code logic with different approaches and none of them work for me
>>
>>
>> > src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
>> java.util.Date().getTime() %>" nonce="alldec202403040001">
>>
>>
>> > src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
>> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001">
>>
>> > src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%=
>> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001">
>>
>>
>> > src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%=
>>
>> "" + new java.util.Date().getTime() %>"
>> nonce="nonce-alldec202403040001">
>>
>> i tried this as well but not working
>>
>>String scriptUrl =
>> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
>>ScriptInjector.fromUrl(scriptUrl)
>> .setWindow(ScriptInjector.TOP_WINDOW)
>> .inject();
>>
>> Need your valuable inputs to achieve content secure policy in GWT using
>> script-src 'self' and object-src 'self' without unsafe-inline and
>> unsafe-eval
>> i suspect the inline java script code is not allowing to apply
>> script-src 'self' and object-src 'self' without unsafe-inline and
>> unsafe-eval
>>
>>
>> here is my AllDec.nocache.js
>> function AllDec(){
>> var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 =
>> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec',
>> $intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1,
>> $intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 =
>> 'position:absolute; width:0; height:0; border:none; left: -1000px;',
>> $intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 =
>> '', $intern_15 = '', $intern_16 =
>> '<\/head><\/body><\/html>', $intern_17 = 'undefined',
>> $intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script',
>> $intern_21 = 'javascript', $intern_22 =
