GWT super dev mode content security policy
I am getting the following error in my code, in the browser, when I test it in eclipse using super dev mode:
wmsapp.nocache.js:131 Refused to load the script 'http://127.0.0.1:9876/wmsapp/5B051516607B4217EFF2D0B7FB10B220.cache.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' http://127.0.0.1:9876/recompile-requester/wmsapp http://127.0.0.1:9876/recompile/wmsapp http://127.0.0.1:9876/wmsapp/wmsapp.nocache.js". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
installCode @ wmsapp.nocache.js:131
Obviously, on future tests, 5B051516607B4217EFF2D0B7FB10B220.cache.js
will change. I know this because in a prior test I had a different file reference. For another GWT project, I don't have this problem. So what am I doing wrong? I cannot add this to the conent security policy because it will change. Any ideas?
What is really strange is that I do not see this file anyplace in my source directory structure, even inside other files. Earlier today, for a different test, I got a different file, and I did see it referenced inside another file, but did not find the file itself. For this latest test, it was under the temp folder, C:\Users\<userid>\AppData\Local\Temp\gwt-codeserver-3014931782125410745.tmp
, which I guess makes sense, and confirms why it changes for each test.
Current security content policy:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline' http://127.0.0.1:9876; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://127.0.0.1:9876/recompile-requester/wmsapp http://127.0.0.1:9876/recompile/wmsapp http://127.0.0.1:9876/wmsapp/wmsapp.nocache.js">
Solution 1:
Depending on the GWT version you are using, GWT will usually create several JS files. IIRC and nothing is changed, you have - using the lasting GWT version - 5 permutations. These are the files with the cryptic name that the *.nochache.js
is loading.
These permutation will be loaded from the code server. And by defining files inside the Content-Security-Policy tag, you define the files which can be loaded. And because the file names always change, you have no chance to add them.
So, why not using:
script-src http://127.0.0.1:9876
as mentioned in the third example here.