What am I missing here. I use CssResource and don't have "style-src
unsafe-inline" anywhere, and it all works fine.
Ie:
public class ResourcesCommon {
private static final ResourcesCommonDefinitions INSTANCE = GWT.create(
ResourcesCommonDefinitions.class);
public static ResourcesCommonDefinitions inst() {
return INSTANCE;
}
}
public interface ResourcesCommonDefinitions extends ClientBundle {
@Source("style.css") ResourcesCommonCSS css();
}
public interface ResourcesCommonCSS extends CssResource {
@ClassName("someStyle") String someStyle();
}
Have all the css in style.css:
.someStyle {
color: red;
}
And in the ui.xml files:
<ui:with field="resCommon" type="proj.my.ResourcesCommon" />
<g:HTMLPanel>
<div ui:field="myDiv" class="{resCommon.inst.css. someStyle }">
</div>
</g:HTMLPanel>
On Thursday 1 August 2024 at 1:11:45 pm UTC+10 Colin Alworth wrote:
> After some discussion in gitter a few hours ago
> <https://matrix.to/#/!AvXTCxQwVkniJBaCEi:gitter.im/$eQPedHE1EIVfShi8awSlne0eZG5CMP41Aa_8EQXOjRw>,
>
> we filed https://github.com/gwtproject/gwt/issues/9990 as a research
> topic to look more deeply into this within GWT itself.
>
> It looks to me as though a separate StyleInjector implementation could be
> provided that no longer batches style tag creation, but instead inserts
> each individually. When the app is compiled, the hash for each block of CSS
> could be computed (...minus any runtime value interpolation), and a
> generated file made available to the server so that appropriate CSP headers
> can be set on http responses.
>
> Creating many individual css files and loading them via <link> tags is an
> option too, but won't load synchronously that way, unless you hit them all
> at startup (which then would mean that you may load them unnecessarily).
>
> Alternatively, a nonce could be specified and injected with each style tag
> - but that seems like a weaker approach in general, since it requires
> making the nonce available to the page's script code.
>
> On Wednesday, July 31, 2024 at 8:26:57 PM UTC-5 ma...@craig-mitchell.com
> wrote:
>
>> There are multiple ways of using CSS in the UIBinder, I'm not sure which
>> one uses injectStyleSheet behind the scenes. Are you referring to using:
>>
>> 1. The <ui:style> tag in the ui.xml files.
>> 2. Resources with CssResource and the <ui:with ...> tag in the ui.xml
>> files.
>> 3. Or are you programmatically injecting CSS in the code.
>>
>> The obvious workaround would be to put your CSS in the main index.html
>> file, and reference it from there, however, that might not be practical for
>> your situation.
>>
>> On Thursday 1 August 2024 at 1:42:16 am UTC+10 mighty...@gmail.com wrote:
>>
>>> Hello all. I am working to make our webapp compliant with our CSP, and
>>> have removed `style-src unsafe-inline`. I am working through any errors
>>> that have popped up, but one is stumping me
>>>
>>> At runtime, it appears that GWT is injecting all the CSS from our Ui
>>> Binder files using StyleInjectorImpl
>>> <https://www.gwtproject.org/javadoc/latest/com/google/gwt/dom/client/StyleInjector.StyleInjectorImpl.html>
>>> `injectStyleSheet`
>>> method.
>>>
>>> This is violating the CSP. Is there any way around this? I'm aware that
>>> the main way to ensure CSP compliance is to use a nonce value, but due to
>>> some quirks with our setup, this is not possible.
>>>
>>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/c6889143-04cb-4ca8-a907-11d408a0434fn%40googlegroups.com.
