-
David Iglesias authored
## Description This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method. When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`. ---- ### CSP directive After this change, the CSP directive for a Flutter Web index.html can be: ``` script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval'; font-src https://fonts.gstatic.com; style-src 'nonce-YOUR_NONCE_VALUE'; ``` When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src) When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.) ---- ### Initialization If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`: ```javascript _flutter.loader.loadEntrypoint({ nonce: 'SOME_NONCE', onEntrypointLoaded: (engineInitializer) async { const appRunner = await engineInitializer.initializeEngine({ nonce: 'SOME_NONCE', }); appRunner.runApp(); }, }); ``` (`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.) ---- ## Tests * Added a smoke test to ensure an app configured as described above starts. ## Issues * Fixes https://github.com/flutter/flutter/issues/126977