Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What to do to make GWT product Strict CSP Comapatible?

Tags:

java

javascript

content-security-policy

gwt

I have made a web app in gwt, CSP Mitigator is saying that, I have many eval statements and javascript uri's in js loaded, so my project is not Strict CSP Compatible .

But problem in my case is that, I write code in java and gwwt make js for me.

I also asked gwt community, but they says that in next release of gwt, csp compliance will be covered.

But till then, Do anyone knows, how can I solve this vulnerability .

like image 764
Sahil Aggarwal Avatar asked Oct 09 '17 12:10

Sahil Aggarwal

People also ask

What is strict dynamic CSP?

strict-dynamic in CSP. The strict-dynamic source list keyword allows you to simplify your CSP policy by favoring hashes and nonces over domain host lists.

Can you bypass CSP?

If scripts are loaded from a whitelisted domain in the AngularJS application, then it is possible to bypass CSP policy. This can be done by calling a callback function and vulnerable class.

How do I enable CSP on my website?

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore.)

How do I know if CSP is enabled?

Once the page source is shown, find out whether a CSP is present in a meta tag. Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”. If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.

2 Answers

Release Of gwt 2.8.2 has come which is csp compliance .

like image 177
Sahil Aggarwal Avatar answered Sep 19 '22 14:09

Sahil Aggarwal

Not entirely out of box, just improved CSP support in gwt-2.8.2.

For instance GWT compiled js includes data URLs such as data:image/gif;base64.. and will violate img-src 'self';

It is awkward including such URLs in CSP. More worse using img-src 'self' data:; as hackers can inject anything in data scheme.

This can be turned off in module gwt.xml. Disable the use of data: URLs

<set-property name="ClientBundle.enableInlining" value="false" />

There are also pending CSP issues where GWT code base still uses eval that require unsafe-eval in CSP declarations.

Additionally, this is an issue since it violates CSP, as eval isn't particularly safe, and some sites would like to forbid its use to further protect their data and their users.

https://github.com/gwtproject/gwt/issues/9578

like image 39
makara Avatar answered Sep 21 '22 14:09

makara
Sign in to Comment

Related questions

Confusion over various webpack shimming approaches
Dependency injection library - renaming injected values
Flask Dynamic dependent dropdown list
Firefox WebExtension toolbar buttons to toggle sidebars
Making a popup to open at the position where the mouse is clicked
Web server on ESP32: How to update and display sensor values from the server automatically?
Can you assign a name to a Web Worker?
Equivalent of Python's List Comprehension in Javascript
React native: Component not defined? Can't import?
How to spy on an imported function using Sinon?
three.js OBJLoader not loading in react
watch for a property in vue component
How to implement Google Maps JS API in React without an external library?
Transform a Javascript Object to Function manually
How to pass credentials through a fetch request
Change ID's of child elements in JavaScript when cloning an element
Angular 4 PWA Service Worker doesn't update when new updates available
React Router: access history in rendered Route component
Vue form input bindings with existing value
Chart.js - Draw bar chart with multiple labels

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!