Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval
The problem is not loading the nocache.js itself, but is triggered by the
setupInstallLocation function of the nocache.js, at line 71, specifically
the line:
$doc.body.appendChild(scriptFrame);
and probably due to that line:
scriptFrame.src = $intern_10;
because of:
$intern_10 = 'javascript:""'
This was actually fixed in
2.8.2:
https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab,
so you're probably using an older version.
One workaround, as described in the comments in that file is to extend
CrossSiteIframeLinker and override getJsInstallLocation() to return your
own script where you'd have applied the fix.
…but then things will break in installCode and __installRunAsyncCode,
coming
from
https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js
and
https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js
respectively.
You'll want to replace those with modified versions (read
CrossSiteIframeLinker to see how to override them) that will add the nonce
to the dynamically created script (though as they're injected into the
iframe that's been dynamicallly created in setupInstallLocation, I'm not
sure how/which CSP applies there)
On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com wrote:
> Hi Team
> Hope you are doing well
>
> i am using GWT version 2.8.2
> i am trying to apply content secure policy in GWT using script-src 'self'
> and object-src 'self' without unsafe-inline and unsafe-eval but i am
> getting below
>
> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the JavaScript
> URL because it violates the following Content Security Policy directive:
> "script-src 'self' 'nonce-alldec202403040001' 'nonce-alldec202403040002'
> 'nonce-trwFrame-202403040001' 'nonce-footer-202403040001'
> 'nonce-menu202403040001' 'nonce-Header2022092604' 'nonce-Header2022092603'
> 'nonce-Header2022092602' 'nonce-Header2022092601'
> 'nonce-header-momentjs-20221027' 'nonce-header-inline-2022102701'
> 'nonce-header-inline-2022102702'". Either the 'unsafe-inline' keyword, a
> hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline
> execution. Note that hashes do not apply to event handlers, style
> attributes and javascript: navigations unless the 'unsafe-hashes' keyword
> is present.
>
> my code logic with different approaches and none of them work for me
>
>
> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
> java.util.Date().getTime() %>" nonce="alldec202403040001">
>
>
> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001">
>
> src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%=
> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001">
>
>
> src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%=
>
> "" + new java.util.Date().getTime() %>"
> nonce="nonce-alldec202403040001">
>
> i tried this as well but not working
>
>String scriptUrl =
> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
>ScriptInjector.fromUrl(scriptUrl)
> .setWindow(ScriptInjector.TOP_WINDOW)
> .inject();
>
> Need your valuable inputs to achieve content secure policy in GWT using
> script-src 'self' and object-src 'self' without unsafe-inline and
> unsafe-eval
> i suspect the inline java script code is not allowing to apply
> script-src 'self' and object-src 'self' without unsafe-inline and
> unsafe-eval
>
>
> here is my AllDec.nocache.js
> function AllDec(){
> var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 =
> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec',
> $intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1,
> $intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 =
> 'position:absolute; width:0; height:0; border:none; left: -1000px;',
> $intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 =
> '', $intern_15 = '', $intern_16 =
> '<\/head><\/body><\/html>', $intern_17 = 'undefined',
> $intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script',
> $intern_21 = 'javascript', $intern_22 = 'Failed to load ', $intern_23 =
> 'moduleStartup', $intern_24 = 'scriptTagAdded', $intern_25 =
> 'moduleRequested', $intern_26 = 'meta', $intern_27 = 'name', $intern_28 =
> 'AllDec::', $intern_29 = '::', $intern_30 = 'gwt:property', $intern_31 =
> 'content', $intern_32 = '=', $intern_33 = 'gwt:onPropertyErrorFn',
> $intern_34 = 'Bad handler "', $intern_35 = '" for "gwt:onPropertyErrorFn"',
> $intern_36 = 'gwt:onLoadErrorFn', $intern_37 = '" for "gwt:onLoadErrorFn"',
> $intern_38 = '#', $intern_39 = '?', $intern_40 = '/', $intern_41 = 'img',
> $intern_42 =
apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval
Hi Team
Hope you are doing well
i am using GWT version 2.8.2
i am trying to apply content secure policy in GWT using script-src 'self'
and object-src 'self' without unsafe-inline and unsafe-eval but i am
getting below
setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the JavaScript
URL because it violates the following Content Security Policy directive:
"script-src 'self' 'nonce-alldec202403040001' 'nonce-alldec202403040002'
'nonce-trwFrame-202403040001' 'nonce-footer-202403040001'
'nonce-menu202403040001' 'nonce-Header2022092604' 'nonce-Header2022092603'
'nonce-Header2022092602' 'nonce-Header2022092601'
'nonce-header-momentjs-20221027' 'nonce-header-inline-2022102701'
'nonce-header-inline-2022102702'". Either the 'unsafe-inline' keyword, a
hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline
execution. Note that hashes do not apply to event handlers, style
attributes and javascript: navigations unless the 'unsafe-hashes' keyword
is present.
my code logic with different approaches and none of them work for me
" nonce="alldec202403040001">
" nonce="nonce-alldec202403040001">
" nonce="alldec202403040001">
"
nonce="nonce-alldec202403040001">
i tried this as well but not working
String scriptUrl =
"../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
ScriptInjector.fromUrl(scriptUrl)
.setWindow(ScriptInjector.TOP_WINDOW)
.inject();
Need your valuable inputs to achieve content secure policy in GWT using
script-src 'self' and object-src 'self' without unsafe-inline and
unsafe-eval
i suspect the inline java script code is not allowing to apply script-src
'self' and object-src 'self' without unsafe-inline and unsafe-eval
here is my AllDec.nocache.js
function AllDec(){
var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 =
'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec',
$intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1,
$intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 =
'position:absolute; width:0; height:0; border:none; left: -1000px;',
$intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 =
'', $intern_15 = '', $intern_16 =
'<\/head><\/body><\/html>', $intern_17 = 'undefined',
$intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script',
$intern_21 = 'javascript', $intern_22 = 'Failed to load ', $intern_23 =
'moduleStartup', $intern_24 = 'scriptTagAdded', $intern_25 =
'moduleRequested', $intern_26 = 'meta', $intern_27 = 'name', $intern_28 =
'AllDec::', $intern_29 = '::', $intern_30 = 'gwt:property', $intern_31 =
'content', $intern_32 = '=', $intern_33 = 'gwt:onPropertyErrorFn',
$intern_34 = 'Bad handler "', $intern_35 = '" for "gwt:onPropertyErrorFn"',
$intern_36 = 'gwt:onLoadErrorFn', $intern_37 = '" for "gwt:onLoadErrorFn"',
$intern_38 = '#', $intern_39 = '?', $intern_40 = '/', $intern_41 = 'img',
$intern_42 = 'clear.cache.gif', $intern_43 = 'baseUrl', $intern_44 =
'AllDec.nocache.js', $intern_45 = 'base', $intern_46 = '//', $intern_47 =
'user.agent', $intern_48 = 'webkit', $intern_49 = 'safari', $intern_50 =
'msie', $intern_51 = 11, $intern_52 = 'ie10', $intern_53 = 9, $intern_54 =
'ie9', $intern_55 = 8, $intern_56 = 'ie8', $intern_57 = 'gecko', $intern_58
= 'gecko1_8', $intern_59 = 2, $intern_60 = 3, $intern_61 = 4, $intern_62 =
'selectingPermutation', $intern_63 = 'AllDec.devmode.js', $intern_64 =
'0EF85E4190AC447E05897F96A6F99F47', $intern_65 =
'4907B969BA14903A87055E501F608F15', $intern_66 =
'9EE4E7BDFF866FF07E4C05A26DDA5C46', $intern_67 =
'CDC1ED083BDDEDA5A079F2A66A48A35D', $intern_68 =
'FD596E46A331AE61B689F91C1973282E', $intern_69 = ':', $intern_70 =
'.cache.js', $intern_71 = 'link', $intern_72 = 'rel', $intern_73 =
'stylesheet', $intern_74 = 'href', $intern_75 = 'head', $intern_76 =
'loadExternalRefs', $intern_77 = 'Trw4gui.css', $intern_78 = 'end',
$intern_79 = 'http:', $intern_80 = 'file:', $intern_81 = '_gwt_dummy_',
$intern_82 = '__gwtDevModeHook:AllDec', $intern_83 = 'Ignoring
non-whitelisted Dev Mode URL: ', $intern_84 = ':moduleBase';
var $wnd = window;
var $doc = document;
sendStats($intern_0, $intern_1);
function isHostedMode(){
var query = $wnd.location.search;
return query.indexOf($intern_2) != -1 || query.indexOf($intern_3) != -1;
}
function sendStats(evtGroupString, typeString){
if ($wnd.__gwtStatsEvent) {
$wnd.__gwtStatsEvent({moduleName:$intern_4,
sessionId:$wnd.__gwtStatsSessionId, subSystem:$intern_5,
evtGroup:evtGroupString, millis:(new Date).getTime(), type:typeString});
}
}
AllDec.__sendStats = sendStats;
AllDec.__moduleName = $intern_4;
AllDec.__errFn = null;
AllDec.__moduleBase = $intern_6;
AllDec.__softPermutationId = $intern_7;
AllDec.__computePropValue = null;
AllDec.__getPropMap = null;
AllDec.__installRunAsyncCode =
