tbroyer
commented
1 year ago Currently, GWT requires unsafe-inline (and also using the direct_install linker; see #9725). It should be possible to instead use the hashes for all possible scripts, but obtaining them is not that easy (could be possible using an additional linker maybe?)
Using a nonce might be possible by subclassing CrossSiteIframeLinker and replacing the getJsRunAsync and getJsInstallScript.
It might also be possible to only use <script src> by subclassing CrossSiteIframeLinker and replacing the getJsRunAsync and wrapDeferredFragment.
nbourdais
GWT version: 2.9.0 Browser (with version): Chrome Version 110.0.5481.77 Operating System: Windows 10
Description
In our company, we are using GWT for out frontend and we are experiencing some issue related to CSP rules. In our project, we made sure that we don't use any code (for example JSNI) that use inline script, and set the system property gwt.rpc.version to use JSON instead of eval function for the GWT-RPC.
When applying a strict CSP rules (no inline script, eval etc allowed), the application is not deployed properly in Tomcat (white page + error in browser console).
For example, we got the following error in the browser console :
When the problem occurs, the following code is responsible for the error in the nocache.js file:
Note: the project is compiled with -Dgwt.style=PRETTY
This code seems to be generated by GWT. I'm not sure if this is part of the linker script and if it's configurable but I've tried using :
and
but still having the issue.
I've noticed there was some improvement on CSP compliance in GWT version 2.8.2 but don't know if the issue we're having is a known problem or if there is any solution or workaround to this ?!
Thanks in advance for you anwsers.