Unable to get GWT application to work as a Chrome batch application, possibly due to CSP

Question

Unable to get GWT application to work as a Chrome batch application, possibly due to CSP

Continue to get CSP errors: "Inline script execution refused because it violates the following content security policy directive:" script -src "self" "

The problem is probably related to the HTML files generated by GWT that contain embedded JS.

UPD : migrating to manifest version 1 helped, but it's a temporary workaroud, as Chrome 21 complains that it will no longer be supported.

UPD2: <add-linker name="xsiframe" /> does not help

+8

google-chrome-extension gwt content-security-policy

Alexey Timanovsky Aug 25 '12 at 15:16

source share

4 answers

EDIT: A new GWT bug has appeared: http://code.google.com/p/google-web-toolkit/issues/detail?id=7685 , see also http://gwt-code-reviews.appspot.com/ 1838803 / , which is associated with this error

In other words, it seems that during the fix you just need to use DirectInstallLinker ( <add-linker name='direct_install'/> ).

At the same time, IIUC, you need to extend DirectInstallLinker and:

override getJsInstallLocation to return a copy of a installLocaltionIframe.js without $wnd part
override getModulePrefix to add var $wnd = $wnd || window.parent; var $wnd = $wnd || window.parent; to what super.getModulePrefix generated

I don't know CSP to give a complete answer, but the xsiframe linker is "customizable": create a class that extends com.google.gwt.core.linker.CrossSiteIframeLinker and overrides the appropriate methods, and then use with <define-linker> and <add-linker> in *.gwt.xml .

For example, getJsInstallLocation uses com/google/gwt/core/ext/linker/impl/installLocationIframe.js , but there is an alternative implementation of com/google/gwt/core/ext/linker/impl/installLocationMainWindows.js .

Similarly (and more importantly), getJsInstallScript uses com/google/gwt/core/ext/linker/impl/installScriptEarlyDownload.js , but there is also an alternative implementation of com/google/gwt/core/ext/linker/impl/installScriptDirect.js .

See http://code.google.com/p/google-web-toolkit/source/browse/trunk/dev/core/src/com/google/gwt/core/linker/CrossSiteIframeLinker.java#204 , http: //code.google.com/p/google-web-toolkit/source/browse/trunk/dev/core/src/com/google/gwt/core/ext/linker/impl/ and http://code.google .com / p / google-web-toolkit / source / browse / trunk / user / src / com / google / gwt / core / Core.gwt.xml

+5

Thomas Broyer Aug 27 '12 at 10:09

source share

Thanks to the advice of Thomas Breuer. I created this GWT Linker. Now my GWT application works fine as a Chrome application (tested on Chrome 32 and GWT 2.5.1).

The public class CSPCompatibleLinker extends DirectInstallLinker {

 @Override protected String getJsInstallLocation(LinkerContext context) { return "com/google/gwt/core/ext/linker/impl/installLocationMainWindow.js"; }

}

Remember to declare the linker in the * .gwt.xml file:

 <define-linker name="csp" class="com.sfeir.linker.CSPCompatibleLinker"/> <add-linker name="csp" />

+2

Mohamed abdennebi Jan 22 '14 at 14:22

source share

Manifest version 2 does not allow embedded scripts. You need to make sure that all scripts are linked, not JavaScript in the HTML elements.

0

Mike grace Aug 25 '12 at 16:51

source share

Carl · Accepted Answer · 2013-05-14T22:05:13+0000

GWT 2.5.1 has finally fixed this problem. Release notes documenting this are here:

https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_5_1

and they claim that:

"Applications created using DirectInstallLinker should work on a page where embedded scripts are not allowed (for example, the Chrome extension)"

This means that you can now use DirectInstallLinker to link your packaged Chrome application in a way that meets the new security requirements of the manifest version 2 for embedded scripts. That is, using DirectInstallLinker to associate your application with GWT 2.5.1, selected as your version of GWT, GWT will not place any script elements inside its generated Javascript and therefore a new version 2 requirement so that there are no inline scripts will be broken.

I found that SingleScriptLinker also works for my own application; however, issue 7685 warns of using SingleScriptLinker because "This generates the $ doc.write string, which is not allowed in packaged applications." I myself use DirectInstallLinker.

Here is the Javadoc for DirectInstallLinker:

http://google-web-toolkit.googlecode.com/svn/javadoc/2.5/com/google/gwt/core/linker/DirectInstallLinker.html

To use this linker, you can include the following in your * .gwt.xml file:

 <define-linker name="dil" class="com.google.gwt.core.linker.DirectInstallLinker"/> <add-linker name="dil" />

(dil can be replaced with anything you choose if there are no dashes or other illegal characters).

You will need to select GWT 2.5.1 as your version of GWT. If you are using an older version of GWT in an older version of Eclipse, such as Ganymede (like me), you will need to upgrade to at least Helios and then import the project into a new Eclipse environment. The archive URLs for the Google Eclipse plugin that you can use for the last three versions of Eclipse can be found here:

https://developers.google.com/eclipse/docs/download

With the above you should set

 "manifest_version": 2

in your manifest.json file and not experiencing errors due to the built-in JWB script generated by GWT. This should allow your Chrome web app to be acceptable for the Chrome Web Store (which now requires manifest version 2 for any new apps or app updates), unless there are other issues.

Unable to get GWT application to work as a Chrome batch application, possibly due to CSP

More articles: