GWT 2.10.0 Content Security Policy issue for *.nocache.js inline JS
Santosh Rao
We are implementing CSP in our application which uses GWT 2.10.0 version.
The scripts are using a nonce value set on the tags which the CSP script-src directive uses to verify and to allow access.
We also have URL’s which need to be whitelisted in the script-src directive. So we cannot use strict-dynamic for inline scripts.
We are using Code splitting enabled in GWT and also using xsiframe
Nothing works to implement inline JS in *nocache.js fails with this - f.appendChild(g) - Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' Either the 'unsafe-inline' keyword, a hash ('sha256-ZcEtuzld5ACAA/kdUUaWjDmI0w4iu451MSo8nEMgTRY='), or a nonce ('nonce-...') is required to enable inline execution.
Tried the below options - does not work
1. <add-linker name="direct_install" />
2. MutationObserver
3. Also tried overriding window.__installRunAsyncCode and window.__gwt_getInstallScript to append the nonce value.
4. ScriptInjector value to set the nonce.
5. CrossSiteLinkerFramework to override getJsInstallScript()
This works - But only with No code splitting
<set-configuration-property name="installCode" value="false" />
<!--A related property that must also be configured to properly handle fragment loading -->
<set-configuration-property name="installScriptJs"
value="com/google/gwt/core/ext/linker/impl/installScriptDirect.js" />
Does anyone know how this can be implemented to solve the inline JS issue in GWT.
