subject:"apply content secure policy using script\-src 'self' and object\-src 'self' without unsafe\-inline and unsafe\-eval"

apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

2024-03-06 Thread paparao rambuddi

Hi Team
Hope you are doing well

i am using GWT version 2.8.2
i am trying to apply content secure policy in GWT using  script-src 'self' 
and object-src 'self' without unsafe-inline and unsafe-eval but i am 
getting below 

setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the JavaScript 
URL because it violates the following Content Security Policy directive: 
"script-src 'self'  'nonce-alldec202403040001' 'nonce-alldec202403040002' 
'nonce-trwFrame-202403040001' 'nonce-footer-202403040001' 
'nonce-menu202403040001' 'nonce-Header2022092604' 'nonce-Header2022092603' 
'nonce-Header2022092602' 'nonce-Header2022092601' 
'nonce-header-momentjs-20221027' 'nonce-header-inline-2022102701' 
'nonce-header-inline-2022102702'". Either the 'unsafe-inline' keyword, a 
hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline 
execution. Note that hashes do not apply to event handlers, style 
attributes and javascript: navigations unless the 'unsafe-hashes' keyword 
is present.

my code logic with different approaches and none of them work for me 


" nonce="alldec202403040001">


" nonce="nonce-alldec202403040001">

" nonce="alldec202403040001">


" 
nonce="nonce-alldec202403040001">

i tried this as well but not working 

   String scriptUrl = 
"../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
   ScriptInjector.fromUrl(scriptUrl)
.setWindow(ScriptInjector.TOP_WINDOW)
.inject();

Need your valuable inputs to achieve content secure policy in GWT using 
 script-src 'self' and object-src 'self' without unsafe-inline and 
unsafe-eval
i suspect the inline java script code is not allowing  to apply  script-src 
'self' and object-src 'self' without unsafe-inline and unsafe-eval


here is my AllDec.nocache.js 
function AllDec(){
  var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 = 
'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec', 
$intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1, 
$intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 = 
'position:absolute; width:0; height:0; border:none; left: -1000px;', 
$intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 = 
'', $intern_15 = '', $intern_16 = 
'<\/head><\/body><\/html>', $intern_17 = 'undefined', 
$intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script', 
$intern_21 = 'javascript', $intern_22 = 'Failed to load ', $intern_23 = 
'moduleStartup', $intern_24 = 'scriptTagAdded', $intern_25 = 
'moduleRequested', $intern_26 = 'meta', $intern_27 = 'name', $intern_28 = 
'AllDec::', $intern_29 = '::', $intern_30 = 'gwt:property', $intern_31 = 
'content', $intern_32 = '=', $intern_33 = 'gwt:onPropertyErrorFn', 
$intern_34 = 'Bad handler "', $intern_35 = '" for "gwt:onPropertyErrorFn"', 
$intern_36 = 'gwt:onLoadErrorFn', $intern_37 = '" for "gwt:onLoadErrorFn"', 
$intern_38 = '#', $intern_39 = '?', $intern_40 = '/', $intern_41 = 'img', 
$intern_42 = 'clear.cache.gif', $intern_43 = 'baseUrl', $intern_44 = 
'AllDec.nocache.js', $intern_45 = 'base', $intern_46 = '//', $intern_47 = 
'user.agent', $intern_48 = 'webkit', $intern_49 = 'safari', $intern_50 = 
'msie', $intern_51 = 11, $intern_52 = 'ie10', $intern_53 = 9, $intern_54 = 
'ie9', $intern_55 = 8, $intern_56 = 'ie8', $intern_57 = 'gecko', $intern_58 
= 'gecko1_8', $intern_59 = 2, $intern_60 = 3, $intern_61 = 4, $intern_62 = 
'selectingPermutation', $intern_63 = 'AllDec.devmode.js', $intern_64 = 
'0EF85E4190AC447E05897F96A6F99F47', $intern_65 = 
'4907B969BA14903A87055E501F608F15', $intern_66 = 
'9EE4E7BDFF866FF07E4C05A26DDA5C46', $intern_67 = 
'CDC1ED083BDDEDA5A079F2A66A48A35D', $intern_68 = 
'FD596E46A331AE61B689F91C1973282E', $intern_69 = ':', $intern_70 = 
'.cache.js', $intern_71 = 'link', $intern_72 = 'rel', $intern_73 = 
'stylesheet', $intern_74 = 'href', $intern_75 = 'head', $intern_76 = 
'loadExternalRefs', $intern_77 = 'Trw4gui.css', $intern_78 = 'end', 
$intern_79 = 'http:', $intern_80 = 'file:', $intern_81 = '_gwt_dummy_', 
$intern_82 = '__gwtDevModeHook:AllDec', $intern_83 = 'Ignoring 
non-whitelisted Dev Mode URL: ', $intern_84 = ':moduleBase';
  var $wnd = window;
  var $doc = document;
  sendStats($intern_0, $intern_1);
  function isHostedMode(){
var query = $wnd.location.search;
return query.indexOf($intern_2) != -1 || query.indexOf($intern_3) != -1;
  }

  function sendStats(evtGroupString, typeString){
if ($wnd.__gwtStatsEvent) {
  $wnd.__gwtStatsEvent({moduleName:$intern_4, 
sessionId:$wnd.__gwtStatsSessionId, subSystem:$intern_5, 
evtGroup:evtGroupString, millis:(new Date).getTime(), type:typeString});
}
  }

  AllDec.__sendStats = sendStats;
  AllDec.__moduleName = $intern_4;
  AllDec.__errFn = null;
  AllDec.__moduleBase = $intern_6;
  AllDec.__softPermutationId = $intern_7;
  AllDec.__computePropValue = null;
  AllDec.__getPropMap = null;
  AllDec.__installRunAsyncCode = function(

Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

2024-03-06 Thread Thomas Broyer

The problem is not loading the nocache.js itself, but is triggered by the 
setupInstallLocation function of the nocache.js, at line 71, specifically 
the line:
$doc.body.appendChild(scriptFrame);
and probably due to that line:
scriptFrame.src = $intern_10;
because of:
$intern_10 = 'javascript:""'

This was actually fixed in 
2.8.2: 
https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab,
 
so you're probably using an older version.
One workaround, as described in the comments in that file is to extend 
CrossSiteIframeLinker and override getJsInstallLocation() to return your 
own script where you'd have applied the fix.

…but then things will break in installCode and __installRunAsyncCode, 
coming 
from 
https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js
 
and 
https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js
 
respectively.
You'll want to replace those with modified versions (read 
CrossSiteIframeLinker to see how to override them) that will add the nonce 
to the dynamically created script (though as they're injected into the 
iframe that's been dynamicallly created in setupInstallLocation, I'm not 
sure how/which CSP applies there)
On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com wrote:

> Hi Team
> Hope you are doing well
>
> i am using GWT version 2.8.2
> i am trying to apply content secure policy in GWT using  script-src 'self' 
> and object-src 'self' without unsafe-inline and unsafe-eval but i am 
> getting below 
>
> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the JavaScript 
> URL because it violates the following Content Security Policy directive: 
> "script-src 'self'  'nonce-alldec202403040001' 'nonce-alldec202403040002' 
> 'nonce-trwFrame-202403040001' 'nonce-footer-202403040001' 
> 'nonce-menu202403040001' 'nonce-Header2022092604' 'nonce-Header2022092603' 
> 'nonce-Header2022092602' 'nonce-Header2022092601' 
> 'nonce-header-momentjs-20221027' 'nonce-header-inline-2022102701' 
> 'nonce-header-inline-2022102702'". Either the 'unsafe-inline' keyword, a 
> hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline 
> execution. Note that hashes do not apply to event handlers, style 
> attributes and javascript: navigations unless the 'unsafe-hashes' keyword 
> is present.
>
> my code logic with different approaches and none of them work for me 
>
>
>  src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new 
> java.util.Date().getTime() %>" nonce="alldec202403040001">
>
>
>  src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new 
> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001">
>
>  src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%= 
> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001">
>
>
>  src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%=
>  
> "" + new java.util.Date().getTime() %>" 
> nonce="nonce-alldec202403040001">
>
> i tried this as well but not working 
>
>String scriptUrl = 
> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
>ScriptInjector.fromUrl(scriptUrl)
> .setWindow(ScriptInjector.TOP_WINDOW)
> .inject();
>
> Need your valuable inputs to achieve content secure policy in GWT using 
>  script-src 'self' and object-src 'self' without unsafe-inline and 
> unsafe-eval
> i suspect the inline java script code is not allowing  to apply  
> script-src 'self' and object-src 'self' without unsafe-inline and 
> unsafe-eval
>
>
> here is my AllDec.nocache.js 
> function AllDec(){
>   var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 = 
> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec', 
> $intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1, 
> $intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 = 
> 'position:absolute; width:0; height:0; border:none; left: -1000px;', 
> $intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 = 
> '', $intern_15 = '', $intern_16 = 
> '<\/head><\/body><\/html>', $intern_17 = 'undefined', 
> $intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script', 
> $intern_21 = 'javascript', $intern_22 = 'Failed to load ', $intern_23 = 
> 'moduleStartup', $intern_24 = 'scriptTagAdded', $intern_25 = 
> 'moduleRequested', $intern_26 = 'meta', $intern_27 = 'name', $intern_28 = 
> 'AllDec::', $intern_29 = '::', $intern_30 = 'gwt:property', $intern_31 = 
> 'content', $intern_32 = '=', $intern_33 = 'gwt:onPropertyErrorFn', 
> $intern_34 = 'Bad handler "', $intern_35 = '" for "gwt:onPropertyErrorFn"', 
> $intern_36 = 'gwt:onLoadErrorFn', $intern_37 = '" for "gwt:onLoadErrorFn"', 
> $intern_38 = '#', $intern_39 = '?', $intern_40 = '/', $intern_41 = 'img', 
> $intern_42 = 'clear.cache.gif

Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

2024-03-07 Thread paparao rambuddi

Thank for your reply, i have migrated to   2.8.2 but now i am facing new 
issues 

1. No RPC is call happened Ex: i existing Databasecall to load the data , 
save data ..etc but after we apply CSP (with unsafe-inline and unsafe-eval) 
those are not working
2. Existing validations are not triggered ex: earlier my UI is throwing 
error for mandatory data but now this is not working  

On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote:

> The problem is not loading the nocache.js itself, but is triggered by the 
> setupInstallLocation function of the nocache.js, at line 71, specifically 
> the line:
> $doc.body.appendChild(scriptFrame);
> and probably due to that line:
> scriptFrame.src = $intern_10;
> because of:
> $intern_10 = 'javascript:""'
>
> This was actually fixed in 2.8.2: 
> https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab,
>  
> so you're probably using an older version.
> One workaround, as described in the comments in that file is to extend 
> CrossSiteIframeLinker and override getJsInstallLocation() to return your 
> own script where you'd have applied the fix.
>
> …but then things will break in installCode and __installRunAsyncCode, 
> coming from 
> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js
>  
> and 
> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js
>  
> respectively.
> You'll want to replace those with modified versions (read 
> CrossSiteIframeLinker to see how to override them) that will add the nonce 
> to the dynamically created script (though as they're injected into the 
> iframe that's been dynamicallly created in setupInstallLocation, I'm not 
> sure how/which CSP applies there)
> On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com 
> wrote:
>
>> Hi Team
>> Hope you are doing well
>>
>> i am using GWT version 2.8.2
>> i am trying to apply content secure policy in GWT using  script-src 
>> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am 
>> getting below 
>>
>> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
>> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the 
>> JavaScript URL because it violates the following Content Security Policy 
>> directive: "script-src 'self'  'nonce-alldec202403040001' 
>> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001' 
>> 'nonce-footer-202403040001' 'nonce-menu202403040001' 
>> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602' 
>> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027' 
>> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either 
>> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce 
>> ('nonce-...') is required to enable inline execution. Note that hashes do 
>> not apply to event handlers, style attributes and javascript: navigations 
>> unless the 'unsafe-hashes' keyword is present.
>>
>> my code logic with different approaches and none of them work for me 
>>
>>
>> > src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new 
>> java.util.Date().getTime() %>" nonce="alldec202403040001">
>>
>>
>> > src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new 
>> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001">
>>
>> > src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%= 
>> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001">
>>
>>
>> > src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%=
>>  
>> "" + new java.util.Date().getTime() %>" 
>> nonce="nonce-alldec202403040001">
>>
>> i tried this as well but not working 
>>
>>String scriptUrl = 
>> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
>>ScriptInjector.fromUrl(scriptUrl)
>> .setWindow(ScriptInjector.TOP_WINDOW)
>> .inject();
>>
>> Need your valuable inputs to achieve content secure policy in GWT using 
>>  script-src 'self' and object-src 'self' without unsafe-inline and 
>> unsafe-eval
>> i suspect the inline java script code is not allowing  to apply  
>> script-src 'self' and object-src 'self' without unsafe-inline and 
>> unsafe-eval
>>
>>
>> here is my AllDec.nocache.js 
>> function AllDec(){
>>   var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 = 
>> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec', 
>> $intern_5 = 'startup', $intern_6 = 'DUMMY', $intern_7 = 0, $intern_8 = 1, 
>> $intern_9 = 'iframe', $intern_10 = 'javascript:""', $intern_11 = 
>> 'position:absolute; width:0; height:0; border:none; left: -1000px;', 
>> $intern_12 = ' top: -1000px;', $intern_13 = 'CSS1Compat', $intern_14 = 
>> '', $intern_15 = '', $intern_16 = 
>> '<\/head><\/body><\/html>', $intern_17 = 'undefined', 
>> $intern_18 = 'readystatechange', $intern_19 = 10, $intern_20 = 'script', 
>> $intern_21 = 'javascript', $intern_22 =

Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

2024-03-07 Thread paparao rambuddi

Thank for your reply, i have migrated to   2.8.2 but now i am facing new
issues

1. No RPC is call happened Ex: i existing Databasecall to load the data ,
save data ..etc but after we apply CSP (without unsafe-inline and
unsafe-eval) those are not working
2. Existing validations are not triggered ex: earlier my UI is throwing
error for mandatory data but now this is not working


On Thu, 7 Mar 2024 at 4:33 PM, paparao rambuddi 
wrote:

> Thank for your reply, i have migrated to   2.8.2 but now i am facing new
> issues
>
> 1. No RPC is call happened Ex: i existing Databasecall to load the data ,
> save data ..etc but after we apply CSP (without unsafe-inline and
> unsafe-eval) those are not working
> 2. Existing validations are not triggered ex: earlier my UI is throwing
> error for mandatory data but now this is not working
>
> On Thursday 7 March 2024 at 00:08:00 UTC+8 Thomas Broyer wrote:
>
>> The problem is not loading the nocache.js itself, but is triggered by the
>> setupInstallLocation function of the nocache.js, at line 71, specifically
>> the line:
>> $doc.body.appendChild(scriptFrame);
>> and probably due to that line:
>> scriptFrame.src = $intern_10;
>> because of:
>> $intern_10 = 'javascript:""'
>>
>> This was actually fixed in 2.8.2:
>> https://github.com/gwtproject/gwt/commit/f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab,
>> so you're probably using an older version.
>> One workaround, as described in the comments in that file is to extend
>> CrossSiteIframeLinker and override getJsInstallLocation() to return your
>> own script where you'd have applied the fix.
>>
>> …but then things will break in installCode and __installRunAsyncCode,
>> coming from
>> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/installScriptDirect.js
>> and
>> https://github.com/gwtproject/gwt/blob/2.8.2/dev/core/src/com/google/gwt/core/ext/linker/impl/runAsync.js
>> respectively.
>> You'll want to replace those with modified versions (read
>> CrossSiteIframeLinker to see how to override them) that will add the nonce
>> to the dynamically created script (though as they're injected into the
>> iframe that's been dynamicallly created in setupInstallLocation, I'm not
>> sure how/which CSP applies there)
>> On Wednesday, March 6, 2024 at 4:47:29 PM UTC+1 paparao@gmail.com
>> wrote:
>>
>>> Hi Team
>>> Hope you are doing well
>>>
>>> i am using GWT version 2.8.2
>>> i am trying to apply content secure policy in GWT using  script-src
>>> 'self' and object-src 'self' without unsafe-inline and unsafe-eval but i am
>>> getting below
>>>
>>> setupInstallLocation @ AllDec.nocache.js?timeStamp=1709618887261:71
>>> AllDec.nocache.js?timeStamp=1709618887261:71 Refused to run the
>>> JavaScript URL because it violates the following Content Security Policy
>>> directive: "script-src 'self'  'nonce-alldec202403040001'
>>> 'nonce-alldec202403040002' 'nonce-trwFrame-202403040001'
>>> 'nonce-footer-202403040001' 'nonce-menu202403040001'
>>> 'nonce-Header2022092604' 'nonce-Header2022092603' 'nonce-Header2022092602'
>>> 'nonce-Header2022092601' 'nonce-header-momentjs-20221027'
>>> 'nonce-header-inline-2022102701' 'nonce-header-inline-2022102702'". Either
>>> the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
>>> ('nonce-...') is required to enable inline execution. Note that hashes do
>>> not apply to event handlers, style attributes and javascript: navigations
>>> unless the 'unsafe-hashes' keyword is present.
>>>
>>> my code logic with different approaches and none of them work for me
>>>
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
>>> java.util.Date().getTime() %>" nonce="alldec202403040001">
>>>
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?timeStamp=<%= "" + new
>>> java.util.Date().getTime() %>" nonce="nonce-alldec202403040001">
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001&timeStamp=<%=
>>> "" + new java.util.Date().getTime() %>" nonce="alldec202403040001">
>>>
>>>
>>> >> src="../trw4/alldec/AllDec.nocache.js?nonce=nonce-alldec202403040001&timeStamp=<%=
>>> "" + new java.util.Date().getTime() %>"
>>> nonce="nonce-alldec202403040001">
>>>
>>> i tried this as well but not working
>>>
>>>String scriptUrl =
>>> "../trw4/alldec/AllDec.nocache.js?nonce=alldec202403040001"
>>>ScriptInjector.fromUrl(scriptUrl)
>>> .setWindow(ScriptInjector.TOP_WINDOW)
>>> .inject();
>>>
>>> Need your valuable inputs to achieve content secure policy in GWT using
>>>  script-src 'self' and object-src 'self' without unsafe-inline and
>>> unsafe-eval
>>> i suspect the inline java script code is not allowing  to apply
>>> script-src 'self' and object-src 'self' without unsafe-inline and
>>> unsafe-eval
>>>
>>>
>>> here is my AllDec.nocache.js
>>> function AllDec(){
>>>   var $intern_0 = 'bootstrap', $intern_1 = 'begin', $intern_2 =
>>> 'gwt.codesvr.AllDec=', $intern_3 = 'gwt.codesvr=', $intern_4 = 'AllDec',
>>> $intern_5 = 'star

apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

Re: apply content secure policy using script-src 'self' and object-src 'self' without unsafe-inline and unsafe-eval

4 matches

Site Navigation

Mail list logo

Footer information