I'm not sure what options 2-5 would have to do with loading the initial fragment, so perhaps this is a series of steps that resolves multiple, different CSP violations?
That is, step 1 should solve the nocache.js trying to append its contents - can you then share the other errors you specifically ran into, and how the fixes were applies, and what errors still remained? Using a newer version of GWT may also serve you well here - https://github.com/gwtproject/gwt/commit/c6b8b0540b2f86304a0b9764f1499f8142aadf3d is in 2.11 and above, and handles a CSP issue with direct_install. Note that 2.12.2 is latest. On Thursday, October 9, 2025 at 11:59:14 AM UTC-5 Santosh Rao wrote: > We are implementing CSP in our application which uses GWT 2.10.0 version. > > The scripts are using a nonce value set on the tags which the CSP > script-src directive uses to verify and to allow access. > > We also have URL’s which need to be whitelisted in the script-src > directive. So we cannot use strict-dynamic for inline scripts. > > We are using Code splitting enabled in GWT and also using xsiframe > > Nothing works to implement inline JS in *nocache.js fails with this - > f.appendChild(g) - Refused to execute inline script because it violates the > following Content Security Policy directive: "script-src 'self' Either the > 'unsafe-inline' keyword, a hash > ('sha256-ZcEtuzld5ACAA/kdUUaWjDmI0w4iu451MSo8nEMgTRY='), or a nonce > ('nonce-...') is required to enable inline execution. > > > Tried the below options - does not work > > 1. <add-linker name="direct_install" /> > > 2. MutationObserver > > 3. Also tried overriding window.__installRunAsyncCode and > window.__gwt_getInstallScript to append the nonce value. > > 4. ScriptInjector value to set the nonce. > > 5. CrossSiteLinkerFramework to override getJsInstallScript() > > This works - But only with No code splitting > > <set-configuration-property name="installCode" value="false" /> > > <!--A related property that must also be configured to properly handle > fragment loading --> > > <set-configuration-property name="installScriptJs" > > > value="com/google/gwt/core/ext/linker/impl/installScriptDirect.js" /> > > Does anyone know how this can be implemented to solve the inline JS issue > in GWT. > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/2ce88ec0-6cf9-483a-b8df-6ca96ec5aec0n%40googlegroups.com.
