admin管理员组文章数量:1386649
I have made a web app in gwt, CSP Mitigator is saying that, I have many eval statements and javascript uri's in js loaded, so my project is not Strict CSP Compatible .
But problem in my case is that, I write code in java and gwwt make js for me.
I also asked gwt munity, but they says that in next release of gwt, csp pliance will be covered.
But till then, Do anyone knows, how can I solve this vulnerability .
I have made a web app in gwt, CSP Mitigator is saying that, I have many eval statements and javascript uri's in js loaded, so my project is not Strict CSP Compatible .
But problem in my case is that, I write code in java and gwwt make js for me.
I also asked gwt munity, but they says that in next release of gwt, csp pliance will be covered.
But till then, Do anyone knows, how can I solve this vulnerability .
Share Improve this question edited Oct 9, 2017 at 13:52 Sahil Aggarwal asked Oct 9, 2017 at 12:20 Sahil AggarwalSahil Aggarwal 1,3511 gold badge12 silver badges30 bronze badges 2- 1 As far as I can tell, all of those CSP patches are merged except one (which won't matter to you if you don't use touch events) - you could use the nightly build until the 2.8.2 release es out? – Colin Alworth Commented Oct 9, 2017 at 13:19
- Also, hard to help without a list of those violations. In the mean time, don't use strict CSP, enable unsafe-inline scripts (I thought we got rid of evals in 2.7 or 2.8, would be interested in knowing where they e from) – Thomas Broyer Commented Oct 9, 2017 at 20:41
2 Answers
Reset to default 5Release Of gwt 2.8.2 has e which is csp pliance .
Not entirely out of box, just improved CSP support in gwt-2.8.2.
For instance GWT piled js includes data URLs such as data:image/gif;base64.. and will violate img-src 'self';
It is awkward including such URLs in CSP. More worse using img-src 'self' data:; as hackers can inject anything in data scheme.
This can be turned off in module gwt.xml. Disable the use of data: URLs
<set-property name="ClientBundle.enableInlining" value="false" />
There are also pending CSP issues where GWT code base still uses eval that require unsafe-eval in CSP declarations.
Additionally, this is an issue since it violates CSP, as eval isn't particularly safe, and some sites would like to forbid its use to further protect their data and their users.
https://github./gwtproject/gwt/issues/9578
本文标签: javascriptWhat to do to make GWT product Strict CSP ComapatibleStack Overflow
版权声明:本文标题:javascript - What to do to make GWT product Strict CSP Comapatible? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744549114a2612076.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论