Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Adding content-security-policy header is giving JS errors

    Hi Isomorphic,

    When header “Content-Security-Policy: default-src 'self'
    “ is added, smartGWT JS files stop working.

    Please find attached the image of JS errors coming.

    Click image for larger version

Name:	CSP.JPG
Views:	290
Size:	108.2 KB
ID:	250264
    Regards
    ​​​​​​​Sidharth ​​​​​​​
    Attached Files

    #2
    Because you forgot, yet again, to post what browser you're using (please please try to remember this!) we can't comment much on this.

    The second two appear to possibly be a browser bug (erroneously considering data URL consisting of inlined SVG as external content). You may be able to work around this by turning off CSP for "data:" urls or for image/svg+xml. Oddly the source is listed as an HTML file even though these data URLs actually appear in our .css files, so possibly your code is doing something special here. But you haven't provided instructions to reproduce the issue, so we can't look further.

    The first one we can't comment on since you've given no information on how to reproduce it.

    Note that you can have CSP violation information posted to a URL as JSON data, and that may help you figure out the actual causes of these reported violations.

    Comment


      #3
      The browser we are using is Google Chrome Version 62.0.3202.94.

      The first error is coming in generated project.nocache.js

      Steps to Reproduce:
      1. Create a simple server-client project serving HTTP request response.
      2. The response should return an HTML page which has a link to generated project.nocache.js.
      3. In the above HTTP response add a header for CSP and declare it as mentioned below
      Content-Security-Policy: script-src 'self' 4. When a request is sent to the project and the response is loaded into the browser, open the Chrome browser's developer tool and view the JS errors as mentioned in the screenshot.

      Thanks,
      Sidharth

      Comment


        #4
        project.nocache.js is the JavaScript GWT generates from your application code.

        Let us know if you find an issue with the SmartGWT framework.

        Comment

        Working...
        X