• David Iglesias's avatar
    [web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204) · 15ccf24d
    David Iglesias authored
    ## Description
    
    This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method.
    
    When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`.
    
    ----
    
    ### CSP directive
    
    After this change, the CSP directive for a Flutter Web index.html can be:
    
    ```
    script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
    font-src https://fonts.gstatic.com;
    style-src 'nonce-YOUR_NONCE_VALUE';
    ```
    
    When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)
    
    When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.)
    
    ----
    
    ### Initialization
    
    If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`:
    
    ```javascript
      _flutter.loader.loadEntrypoint({
        nonce: 'SOME_NONCE',
        onEntrypointLoaded: (engineInitializer) async {
          const appRunner = await engineInitializer.initializeEngine({
            nonce: 'SOME_NONCE',
          });
          appRunner.runApp();
        },
      });
    ```
    
    (`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.)
    
    ----
    
    ## Tests
    
    * Added a smoke test to ensure an app configured as described above starts.
    
    ## Issues
    
    * Fixes https://github.com/flutter/flutter/issues/126977
    15ccf24d
Name
Last commit
Last update
.github Loading commit data...
.vscode Loading commit data...
bin Loading commit data...
dev Loading commit data...
examples Loading commit data...
packages Loading commit data...
.ci.yaml Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
AUTHORS Loading commit data...
CODEOWNERS Loading commit data...
CODE_OF_CONDUCT.md Loading commit data...
CONTRIBUTING.md Loading commit data...
LICENSE Loading commit data...
PATENT_GRANT Loading commit data...
README.md Loading commit data...
TESTOWNERS Loading commit data...
analysis_options.yaml Loading commit data...
dartdoc_options.yaml Loading commit data...
flutter_console.bat Loading commit data...