Skip to content

GWT should support "Content Security Policy" #8197

New issue
New issue
Closed
Closed
GWT should support "Content Security Policy"#8197
Assignees
dankurka
Labels
Security
Milestone
2.8.2
@dankurka

Description

@dankurka
dankurka
opened on Jun 10, 2015

Originally reported on Google Code with ID 8207

Found in GWT Release : any Encountered on OS : any OS Encountered on Browser : FF, Chrome Detailed description (please be as specific as possible): GWT should support CSP https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html Current issues: - Devmode uses eval, which is forbidden by CSP - History support with iFrame is not accepted by CSP Used CSP HTTP Header: Content-Security-Policy: default-src 'self' gwt.google.com; img-src 'self' X-Content-Security-Policy: default-src 'self' gwt.google.com; img-src 'self' GWT History iFrame in Hostpage: <iframe src="javascript:''" id="__gwt_historyFrame" style="width:0;height:0;border:0"></iframe> Exception: 08:30:06.117 [ERROR] [csptest] Unable to load module entry point class null (see associated exception for details) com.google.gwt.core.client.JavaScriptException: (Error) @com.google.gwt.core.client.impl.Impl::registerEntry()([]): call to eval() blocked by CSP at com.google.gwt.dev.shell.BrowserChannelServer.invokeJavascript(BrowserChannelServer.java:249) at com.google.gwt.dev.shell.ModuleSpaceOOPHM.doInvoke(ModuleSpaceOOPHM.java:136) at com.google.gwt.dev.shell.ModuleSpace.invokeNative(ModuleSpace.java:571) at com.google.gwt.dev.shell.ModuleSpace.invokeNativeObject(ModuleSpace.java:279) at com.google.gwt.dev.shell.JavaScriptHost.invokeNativeObject(JavaScriptHost.java:91) at com.google.gwt.core.client.impl.Impl.registerEntry(Impl.java) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.google.gwt.dev.shell.ModuleSpace.onLoad(ModuleSpace.java:357) at com.google.gwt.dev.shell.OophmSessionHandler.loadModule(OophmSessionHandler.java:200) at com.google.gwt.dev.shell.BrowserChannelServer.processConnection(BrowserChannelServer.java:526) at com.google.gwt.dev.shell.BrowserChannelServer.run(BrowserChannelServer.java:364) at java.lang.Thread.run(Thread.java:722) Firebug Console Output: CSP WARN: Directive inline script base restriction violated javascript:'' CSP WARN: Directive eval script base restriction violated call to eval() or related function blocked by CSP Workaround if you have one: not using CSP

Reported by daniel.gerber2 on 2013-06-19 06:50:37

Metadata

Metadata

Assignees

Labels

Security

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions