What am I missing here. I use CssResource and don't have "style-src
unsafe-inline" anywhere, and it all works fine.
Ie:
public class ResourcesCommon {
private static final ResourcesCommonDefinitions INSTANCE = GWT.create(
ResourcesCommonDefinitions.class);
public static ResourcesCommonDefinitions inst() {
return INSTANCE;
}
}
public interface ResourcesCommonDefinitions extends ClientBundle {
@Source("style.css") ResourcesCommonCSS css();
}
public interface ResourcesCommonCSS extends CssResource {
@ClassName("someStyle") String someStyle();
}
Have all the css in style.css:
.someStyle {
color: red;
}
And in the ui.xml files:
<ui:with field="resCommon" type="proj.my.ResourcesCommon" />
<g:HTMLPanel>
<div ui:field="myDiv" class="{resCommon.inst.css. someStyle }">
</div>
</g:HTMLPanel>
On Thursday 1 August 2024 at 1:11:45 pm UTC+10 Colin Alworth wrote:
> After some discussion in gitter a few hours ago
> <https://matrix.to/#/!AvXTCxQwVkniJBaCEi:gitter.im/$eQPedHE1EIVfShi8awSlne0eZG5CMP41Aa_8EQXOjRw>,
>
> we filed https://github.com/gwtproject/gwt/issues/9990 as a research
> topic to look more deeply into this within GWT itself.
>
> It looks to me as though a separate StyleInjector implementation could be
> provided that no longer batches style tag creation, but instead inserts
> each individually. When the app is compiled, the hash for each block of CSS
> could be computed (...minus any runtime value interpolation), and a
> generated file made available to the server so that appropriate CSP headers
> can be set on http responses.
>
> Creating many individual css files and loading them via <link> tags is an
> option too, but won't load synchronously that way, unless you hit them all
> at startup (which then would mean that you may load them unnecessarily).
>
> Alternatively, a nonce could be specified and injected with each style tag
> - but that seems like a weaker approach in general, since it requires
> making the nonce available to the page's script code.
>
> On Wednesday, July 31, 2024 at 8:26:57 PM UTC-5 [email protected]
> wrote:
>
>> There are multiple ways of using CSS in the UIBinder, I'm not sure which
>> one uses injectStyleSheet behind the scenes. Are you referring to using:
>>
>> 1. The <ui:style> tag in the ui.xml files.
>> 2. Resources with CssResource and the <ui:with ...> tag in the ui.xml
>> files.
>> 3. Or are you programmatically injecting CSS in the code.
>>
>> The obvious workaround would be to put your CSS in the main index.html
>> file, and reference it from there, however, that might not be practical for
>> your situation.
>>
>> On Thursday 1 August 2024 at 1:42:16 am UTC+10 [email protected] wrote:
>>
>>> Hello all. I am working to make our webapp compliant with our CSP, and
>>> have removed `style-src unsafe-inline`. I am working through any errors
>>> that have popped up, but one is stumping me
>>>
>>> At runtime, it appears that GWT is injecting all the CSS from our Ui
>>> Binder files using StyleInjectorImpl
>>> <https://www.gwtproject.org/javadoc/latest/com/google/gwt/dom/client/StyleInjector.StyleInjectorImpl.html>
>>> `injectStyleSheet`
>>> method.
>>>
>>> This is violating the CSP. Is there any way around this? I'm aware that
>>> the main way to ensure CSP compliance is to use a nonce value, but due to
>>> some quirks with our setup, this is not possible.
>>>
>>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/c6889143-04cb-4ca8-a907-11d408a0434fn%40googlegroups.com.
