What to do to make GWT product Strict CSP Comapatible?

Question

I have made a web app in gwt, CSP Mitigator is saying that, I have many eval statements and javascript uri's in js loaded, so my project is not Strict CSP Compatible .

But problem in my case is that, I write code in java and gwwt make js for me.

I also asked gwt community, but they says that in next release of gwt, csp compliance will be covered.

But till then, Do anyone knows, how can I solve this vulnerability .

Answer 1

Release Of gwt 2.8.2 has come which is csp compliance .

Answer 2

Not entirely out of box, just improved CSP support in gwt-2.8.2.

For instance GWT compiled js includes data URLs such as data:image/gif;base64.. and will violate img-src 'self';

It is awkward including such URLs in CSP. More worse using img-src 'self' data:; as hackers can inject anything in data scheme.

This can be turned off in module gwt.xml. Disable the use of data: URLs

<set-property name="ClientBundle.enableInlining" value="false" />

There are also pending CSP issues where GWT code base still uses eval that require unsafe-eval in CSP declarations.

Additionally, this is an issue since it violates CSP, as eval isn't particularly safe, and some sites would like to forbid its use to further protect their data and their users.

https://github.com/gwtproject/gwt/issues/9578