Strict CSP (nonce + strict-dynamic) with GWT – CSP violation from code-splitting

3 views
Skip to first unread message

Garima Jain

unread,
3:53 AM (4 hours ago) 3:53 AM
to GWT Users

Hi,

I’m working on a classic GWT application and trying to apply a strict Content Security Policy (CSP) using a nonce generated per request.

CSP Using:

default-src 'self'; script-src 'self' 'nonce-<dynamic>' 'strict-dynamic' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' data:;

What’s working:

  • The app loads and runs correctly.

  • GWT is able to load its scripts dynamically.

  • The iframe now uses a safe URL (about:blank) instead of a javascript: URL and works with the current CSP.  

  • No functional issues in the app.

What’s the problem:
Even though everything works, the browser console shows this error:

Running the JavaScript URL violates the Content Security Policy directive

The stack trace originates from GWT code-splitting (runAsync), specifically during execution of split fragments (e.g., application-0.js).
This appears to involve runtime JavaScript execution via javascript: URLs, which is blocked under strict CSP.

My questions:

  1. Is there a supported way in GWT to avoid this javascript: execution when using code splitting?

  2.   Is this console error considered a known limitation of classic GWT under strict CSP, and acceptable if the application works correctly?  

I’d like to keep CSP strict and avoid adding unsafe-inline.

Thanks!

Reply all
Reply to author
Forward
0 new messages