Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    CSP violation in SmartGWT

    In our project we are using smartgwt 2.5 pro. we have the requirement to make our project the CSP compliance. While adding the CSP headers we are facing inline-eval and inline-script errors on the smartgwt. Here by I have attached the errors for your review. Is it possible can you make smartgwt 2.5 pro CSP compliance? Or can we expect the upcoming smartgwt release to be CSP compliance
    Attached Files
    Starts
    9 Nov 2021
    Ends
    9 Nov 2021

    #2
    CSP is not a useful setting for SmartGWT, which is a component framework - you don't create HTML directly. CSP is used with other frameworks, such as Angular, where HTML elements are directly created, to prevent less-than-expert developers from making certain security mistakes.

    Further, if the CSP policy against inline-eval were enabled, this would cripple advanced web frameworks - can't dynamically load new code, for example.

    So CSP support is not planned for SmartGWT as it would have no positive effect and would cause many features to have be deprecated.

    Comment


      #3
      is there library or fix added in smartGWT to prevent XSS attack's or to make it CSP compliant

      Comment


        #4
        See above - CSP does not apply to SmartGWT, because it's a component framework - you don't write HTML directly.

        Further, CSP is not necessary to prevent XSS attacks.

        Comment

        Working...
        X