This repository was archived by the owner on Feb 25, 2025. It is now read-only.
[web] Add nonce configuration. #42829
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
|
It's impossible that this affects goldens, my beloved bot, go home, you're drunk! |
jacobsimionato
approved these changes
Jun 28, 2023
|
(Updating branch to see if it restarts gold tests) |
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/flutter
that referenced
this pull request
Jun 30, 2023
auto-submit bot
pushed a commit
to flutter/flutter
that referenced
this pull request
Jun 30, 2023
…129818) flutter/engine@d333434...099a70e 2023-06-30 ditman@gmail.com [web] Add nonce configuration. (flutter/engine#42829) 2023-06-30 bdero@google.com [Impeller] Unwrap optional procs in EntityPass (flutter/engine#43352) 2023-06-30 bdero@google.com [Impeller] Assign missing user to TODO. (flutter/engine#43351) 2023-06-29 skia-flutter-autoroll@skia.org Roll Skia from a1ae27969207 to 2d05e3ec6b67 (1 revision) (flutter/engine#43350) 2023-06-29 skia-flutter-autoroll@skia.org Roll Dart SDK from ecc2440be198 to 2d98d9e27dae (1 revision) (flutter/engine#43347) 2023-06-29 jonahwilliams@google.com [Impeller] Check for lazy memory support. (flutter/engine#43339) 2023-06-29 bdero@google.com [Impeller] Remove all double empties (flutter/engine#43345) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-engine-flutter-autoroll Please CC jimgraham@google.com,rmistry@google.com,zra@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Flutter: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://bugs.chromium.org/p/skia/issues/entry?template=Autoroller+Bug Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
kjlubick
pushed a commit
to kjlubick/engine
that referenced
this pull request
Jul 14, 2023
This PR adds a `nonce` JS configuration attribute so users can pass a nonce value to their flutter engine initialization code. This `nonce` is used to mark all scripts/styles needed by Flutter web that are considered `unsafe-inline` by CSP. In this change, there are only two tags that benefit from this: * canvaskit.js * inline styles for text editing Before this change, the most strict CSP that allows a Flutter Web app to run would look like: ``` script-src 'self' 'nonce-flutter-init-scripts' 'wasm-unsafe-eval' https://www.gstatic.com/flutter-canvaskit/; font-src https://fonts.gstatic.com; style-src 'unsafe-inline'; ``` After this change, CSP could be tightened to: ``` script-src 'self' 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval'; font-src https://fonts.gstatic.com; style-src 'nonce-YOUR_NONCE_VALUE'; ``` By initializing the Flutter web app with something like this: ```html <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval'; font-src https://fonts.gstatic.com; style-src 'nonce-YOUR_NONCE_VALUE';"> ... <script nonce="YOUR_NONCE_VALUE"> _flutter.loader.loadEntrypoint({ onEntrypointLoaded: async function(engineInitializer) { let appRunner = await engineInitializer.initializeEngine({ nonce: 'YOUR_NONCE_VALUE', }); appRunner.runApp(); } }); </script> ``` ## Issues Fixes flutter/flutter#126977 (does not address `flutter.js`, that's a [different story](flutter/flutter#128061)) Helps with flutter/flutter#80221 --- [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a
nonceJS configuration attribute so users can pass a nonce value to their flutter engine initialization code.This
nonceis used to mark all scripts/styles needed by Flutter web that are consideredunsafe-inlineby CSP. In this change, there are only two tags that benefit from this:Before this change, the most strict CSP that allows a Flutter Web app to run would look like:
After this change, CSP could be tightened to:
By initializing the Flutter web app with something like this:
Issues
Fixes flutter/flutter#126977 (does not address
flutter.js, that's a different story)Helps with flutter/flutter#80221
Pre-launch Checklist
///).If you need help, consider asking for advice on the #hackers-new channel on Discord.