How to remove/avoid unsafe-eval in GWT with CSP?

[Deepali Sharma]

Hi all,

I am working on a GWT application and facing issues with Content Security Policy (CSP). Currently, GWT uses eval() (or similar dynamic code execution), which means I need to allow unsafe-eval in my CSP. Without this, the page does not load at all.

This is causing repeated failures in application security scans, since unsafe-eval is considered a security risk.

• Is there a way to remove or avoid unsafe-eval in GWT?

• Does GWT provide a CSP-compliant compilation mode or configuration to handle this?

• If yes, how can I enable it in my project (Maven/GWT config)?

Any guidance or best practices to make GWT work with CSP without unsafe-eval would be really helpful.

Thanks!

[Craig Mitchell]

Sounds like you're hitting this:  https://github.com/gwtproject/gwt/issues/9578