GWT super dev mode content security policy

eclipse gwt content-security-policy

I am getting the following error in my code, in the browser, when I test it in eclipse using super dev mode:

wmsapp.nocache.js:131 Refused to load the script 'http://127.0.0.1:9876/wmsapp/5B051516607B4217EFF2D0B7FB10B220.cache.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' http://127.0.0.1:9876/recompile-requester/wmsapp http://127.0.0.1:9876/recompile/wmsapp http://127.0.0.1:9876/wmsapp/wmsapp.nocache.js". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

installCode @ wmsapp.nocache.js:131

Obviously, on future tests, 5B051516607B4217EFF2D0B7FB10B220.cache.js will change. I know this because in a prior test I had a different file reference. For another GWT project, I don't have this problem. So what am I doing wrong? I cannot add this to the conent security policy because it will change. Any ideas?

What is really strange is that I do not see this file anyplace in my source directory structure, even inside other files. Earlier today, for a different test, I got a different file, and I did see it referenced inside another file, but did not find the file itself. For this latest test, it was under the temp folder, C:\Users\<userid>\AppData\Local\Temp\gwt-codeserver-3014931782125410745.tmp, which I guess makes sense, and confirms why it changes for each test.

Current security content policy:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline' http://127.0.0.1:9876; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://127.0.0.1:9876/recompile-requester/wmsapp http://127.0.0.1:9876/recompile/wmsapp http://127.0.0.1:9876/wmsapp/wmsapp.nocache.js">

Solution 1:

Depending on the GWT version you are using, GWT will usually create several JS files. IIRC and nothing is changed, you have - using the lasting GWT version - 5 permutations. These are the files with the cryptic name that the *.nochache.js is loading.

These permutation will be loaded from the code server. And by defining files inside the Content-Security-Policy tag, you define the files which can be loaded. And because the file names always change, you have no chance to add them.

So, why not using:

script-src http://127.0.0.1:9876

as mentioned in the third example here.

Related

Mystery Apple Keys Documented Anywhere?
In OS X 10.6 how do you mount an AFP share at boot or before user login?
Which setting in osx could block "ping localhost"?
Change mac menu bar color
How to help the jEdit application find java?
iphone - is the hotspot isolated (can you see other devices)?
Your iPad could not be activated
Force MacBook to turn on when low battery indicator is showing
Control volume of individual apps on iOS
Virtual ergonomic keyboard for ipad pro?
How can I rebind Caps lock to delete/backspace?
Color management via VNC?