github/flutter
7
0
Fork 0
mirror of https://github.com/flutter/flutter.git synced 2025-06-03 00:51:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
c3e786f3f3
flutter/dev/integration_tests/web/web
History
David Iglesias 15ccf24d79
[web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204) 
## Description

This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method.

When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`.

----

### CSP directive

After this change, the CSP directive for a Flutter Web index.html can be:

```
script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';
```

When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)

When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.)

----

### Initialization

If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`:

```javascript
  _flutter.loader.loadEntrypoint({
    nonce: 'SOME_NONCE',
    onEntrypointLoaded: (engineInitializer) async {
      const appRunner = await engineInitializer.initializeEngine({
        nonce: 'SOME_NONCE',
      });
      appRunner.runApp();
    },
  });
```

(`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.)

----

## Tests

* Added a smoke test to ensure an app configured as described above starts.

## Issues

* Fixes https://github.com/flutter/flutter/issues/126977
2023-10-27 21:05:06 +00:00
..
.gitignore [web] fix hot restart in entrypoint generated by flutter create (#110229) 2022-08-25 20:30:00 +00:00
example [flutter_tools] resolve requests to web directory in debug mode (#51995) 2020-03-05 12:34:03 -08:00
index_with_blocked_service_workers.html [web] Fix JS crash when FF blocks service workers. (#106072) 2022-06-17 02:22:07 +00:00
index_with_flutterjs_custom_sw_version.html [web] provide serviceWorkerVersion to the getNewServiceWorker function (#131240) 2023-09-14 22:17:08 +00:00
index_with_flutterjs_el_nonce.html [web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204) 2023-10-27 21:05:06 +00:00
index_with_flutterjs_el_tt_on.html [web] Use TrustedTypes in flutter.js and other tools (#112969) 2022-10-21 16:03:51 +00:00
index_with_flutterjs_entrypoint_loaded.html [web] Add onEntrypointLoaded to FlutterLoader. (#108776) 2022-08-03 20:58:06 +00:00
index_with_flutterjs_short.html [flutter.js] Wait for reg.update, then activate sw (if not active yet). (#101464) 2022-04-11 19:04:08 -07:00
index_with_flutterjs.html [flutter.js] Wait for reg.update, then activate sw (if not active yet). (#101464) 2022-04-11 19:04:08 -07:00
index_without_flutterjs.html [flutter.js] Wait for reg.update, then activate sw (if not active yet). (#101464) 2022-04-11 19:04:08 -07:00
index.html [web] new service worker loading mechanism (#75535) 2021-02-11 09:16:21 -08:00
manifest.json [flutter_tools] cache-bust in service worker (#56786) 2020-05-16 14:57:04 -07:00