GWT CSP compliance ('unsafe-inline' rule)

[Yuriy Ostapyuk]

Hello.

I'm struggling with GWT vs CSP problem, specifically 'unsafe-inline' rule.

I have an application with several deferred modules, which are compiled and linked with 'xsiframe' or 'direct_install' linkers. And my problem is that linkers use ScriptTagLoadingStrategy, which uses callbacks and eventually appends (and then deletes) <script> tag to GWT iframe with inline javascript in it, which in the end violates 'unsafe-inline' rule. I've experimented with default linkers and found out that 'sso' (SingleScriptLinker) fixes the problem, but unfortunately it's not the case for me, as it not support several modules/fragments.

So, I'm wondering maybe someone has already researched this problem or knows some kind of custom linker, which is using a different strategy to support CSP.

Thank you in advance for any help or suggestion.

Regards.

[Thomas Broyer]

Part of the culprit code is here: https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java#L657-L671 (also https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js)

Most important here in the end is the TODO comment; but that means you should be able to create your own custom linker that would override that method (and possibly others, e.g. getJsRunAsync).

But currently, yes, you need unsafe-inline (and/or CSP3's strict-dynamic, and/or CSP2's hash sources –it should be possible to compute those hashes at compile-time using a special linker; in the worst case a special CrossSiteIframeLinker's wrapDeferredFragment override–)

[Yuriy Ostapyuk]

Thank you so much for suggestions, it helped me.

[Yegor]

Hello Yuriy,

would you please share how you solved the issue.