CSP issues with UiBinder
104 views
Skip to first unread message
mighty...@gmail.com
Jul 31, 2024, 11:42:16 AM7/31/24
to GWT Users
Hello all. I am working to make our webapp compliant with our CSP, and have removed `style-src unsafe-inline`. I am working through any errors that have popped up, but one is stumping me
At runtime, it appears that GWT is injecting all the CSS from our Ui Binder files using StyleInjectorImpl `injectStyleSheet` method.
This is violating the CSP. Is there any way around this? I'm aware that the main way to ensure CSP compliance is to use a nonce value, but due to some quirks with our setup, this is not possible.
Craig Mitchell
Jul 31, 2024, 9:26:57 PM7/31/24
to GWT Users
There are multiple ways of using CSS in the UIBinder, I'm not sure which one uses injectStyleSheet behind the scenes. Are you referring to using:
- The <ui:style> tag in the ui.xml files.
- Resources with CssResource and the <ui:with ...> tag in the ui.xml files.
- Or are you programmatically injecting CSS in the code.
The obvious workaround would be to put your CSS in the main index.html file, and reference it from there, however, that might not be practical for your situation.
Colin Alworth
Jul 31, 2024, 11:11:45 PM7/31/24
to GWT Users
After some discussion in gitter a few hours ago, we filed https://github.com/gwtproject/gwt/issues/9990 as a research topic to look more deeply into this within GWT itself.
It looks to me as though a separate StyleInjector implementation could be provided that no longer batches style tag creation, but instead inserts each individually. When the app is compiled, the hash for each block of CSS could be computed (...minus any runtime value interpolation), and a generated file made available to the server so that appropriate CSP headers can be set on http responses.
Creating many individual css files and loading them via <link> tags is an option too, but won't load synchronously that way, unless you hit them all at startup (which then would mean that you may load them unnecessarily).
Alternatively, a nonce could be specified and injected with each style tag - but that seems like a weaker approach in general, since it requires making the nonce available to the page's script code.
Craig Mitchell
Aug 1, 2024, 9:26:55 PM8/1/24
to GWT Users
What am I missing here. I use CssResource and don't have "style-src unsafe-inline" anywhere, and it all works fine.
Ie:
public class ResourcesCommon {
private static final ResourcesCommonDefinitions INSTANCE = GWT.create(ResourcesCommonDefinitions.class);
public static ResourcesCommonDefinitions inst() {
return INSTANCE;
}
}
private static final ResourcesCommonDefinitions INSTANCE = GWT.create(ResourcesCommonDefinitions.class);
public static ResourcesCommonDefinitions inst() {
return INSTANCE;
}
}
public interface ResourcesCommonDefinitions extends ClientBundle {
@Source("style.css") ResourcesCommonCSS css();
@Source("style.css") ResourcesCommonCSS css();
}
public interface ResourcesCommonCSS extends CssResource {
@ClassName("someStyle") String someStyle();
}
Have all the css in style.css:
.someStyle {
color: red;
}
color: red;
}
And in the ui.xml files:
<ui:with field="resCommon" type="proj.my.ResourcesCommon" />
<g:HTMLPanel>
<div ui:field="myDiv" class="{resCommon.inst.css.
someStyle }">
</div>
</g:HTMLPanel>
Craig Mitchell
Aug 1, 2024, 9:31:10 PM8/1/24
to GWT Users
Apologies. Didn't realise CSP isn't enabled in browsers by default.
Reply all
Reply to author
Forward
0 new messages