Results 1 to 6 of 6

Thread: Support for Content-Security-Policy (CSP)

  1. #1
    Sencha Premium Member
    Join Date
    Feb 2016
    Posts
    2

    Default Support for Content-Security-Policy (CSP)

    Hello!

    I have a GXT (4.0.2) application and I would like to eliminate the "unsafe-inline" und "unsafe-eval" terms from my Content-Security-Policy response header. But when I do this, the application isn't working anymore because of multiple violations against the policy.

    Are there any plans to support this? I'm aware of the fact that this is also a GWT issue which has to be addressed separately.

    Thanks for your answer.
    Florian

  2. #2
    Sencha Sr Product Manager
    Join Date
    Jan 2012
    Location
    Arlington, WA
    Posts
    1,178

    Default

    I'll look into this and get back to you.

  3. #3
    Sencha Sr Product Manager
    Join Date
    Jan 2012
    Location
    Arlington, WA
    Posts
    1,178

    Default

    Do you have the server adding a CSP header or do you add a meta tag, and what is your CSP definition look like? Are you using RPC?

  4. #4
    Sencha Premium Member
    Join Date
    Feb 2016
    Posts
    2

    Default

    The server is adding the CSP header as a proper HTTP response header:

    Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-src 'self'; font-src 'self' data:; img-src 'self' data:;

    The only directive I care about at the moment is "script-src 'self'".
    And yes, I'm using RPC calls.

    Thanks for looking into it!

  5. #5
    Sencha Sr Product Manager
    Join Date
    Jan 2012
    Location
    Arlington, WA
    Posts
    1,178

    Default

    Thanks for the data. I'll be looking into the options later today and will get back with more soon.

  6. #6
    Sencha Sr Product Manager
    Join Date
    Jan 2012
    Location
    Arlington, WA
    Posts
    1,178

    Default

    I've been doing some testing and upgrading to GWT 2.8.2 helps solve the issues I've tested so far. I haven't gotten to the RPC testing yet but wanted to find out to start with if the GWT 2.8.2 updates help.

    I'm using the meta tag to turn on the CSP.
    Code:
    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-src 'self'; font-src 'self' data:; img-src 'self' data:;">
    Which version of GWT are you using?

Similar Threads

  1. ExtJS 6+ and the Content-Security-Policy header
    By ShaunMcIsaac in forum Sencha Ext JS Q&A
    Replies: 1
    Last Post: 18 Nov 2016, 7:58 AM
  2. Replies: 4
    Last Post: 3 Dec 2015, 1:16 AM
  3. support expiration policy
    By rmesser in forum Community Discussion
    Replies: 3
    Last Post: 17 Apr 2013, 7:56 AM
  4. Licensing, security bugfixes,support, backports
    By prikryl in forum Ext GWT: Q&A
    Replies: 0
    Last Post: 26 Mar 2012, 10:33 PM
  5. [Solved] IE7/8 Enhanced Security Configuration blocking content from http://
    By chesstrix in forum Ext 3.x: Help & Discussion
    Replies: 2
    Last Post: 24 Nov 2010, 1:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •