packages/flutter_tools/lib/src · 6b2e62f9b1c51f8bddef7c0e5e70a8c219f87a19 · abdullh.alsoleman / Front-End

[web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204) · 15ccf24d

David Iglesias authored Oct 27, 2023

## Description

This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method.

When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`.

----

### CSP directive

After this change, the CSP directive for a Flutter Web index.html can be:

```
script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';
```

When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)

When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.)

----

### Initialization

If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`:

```javascript
  _flutter.loader.loadEntrypoint({
    nonce: 'SOME_NONCE',
    onEntrypointLoaded: (engineInitializer) async {
      const appRunner = await engineInitializer.initializeEngine({
        nonce: 'SOME_NONCE',
      });
      appRunner.runApp();
    },
  });
```

(`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.)

----

## Tests

* Added a smoke test to ensure an app configured as described above starts.

## Issues

* Fixes https://github.com/flutter/flutter/issues/126977

15ccf24d

Name	Last commit	Last update
..
android		Loading commit data...
base		Loading commit data...
build_system		Loading commit data...
commands		Loading commit data...
custom_devices		Loading commit data...
dart		Loading commit data...
debug_adapters		Loading commit data...
drive		Loading commit data...
fuchsia		Loading commit data...
intellij		Loading commit data...
ios		Loading commit data...
isolated		Loading commit data...
linux		Loading commit data...
localizations		Loading commit data...
macos		Loading commit data...
migrations		Loading commit data...
proxied_devices		Loading commit data...
reporting		Loading commit data...
runner		Loading commit data...
test		Loading commit data...
tester		Loading commit data...
vscode		Loading commit data...
web		Loading commit data...
windows		Loading commit data...
application_package.dart		Loading commit data...
artifacts.dart		Loading commit data...
asset.dart		Loading commit data...
build_info.dart		Loading commit data...
bundle.dart		Loading commit data...
bundle_builder.dart		Loading commit data...
cache.dart		Loading commit data...
cmake.dart		Loading commit data...
cmake_project.dart		Loading commit data...
compile.dart		Loading commit data...
context_runner.dart		Loading commit data...
convert.dart		Loading commit data...
daemon.dart		Loading commit data...
dart_pub_json_formatter.dart		Loading commit data...
desktop_device.dart		Loading commit data...
devfs.dart		Loading commit data...
device.dart		Loading commit data...
device_port_forwarder.dart		Loading commit data...
devtools_launcher.dart		Loading commit data...
doctor.dart		Loading commit data...
doctor_validator.dart		Loading commit data...
emulator.dart		Loading commit data...
features.dart		Loading commit data...
flutter_application_package.dart		Loading commit data...
flutter_cache.dart		Loading commit data...
flutter_device_manager.dart		Loading commit data...
flutter_features.dart		Loading commit data...
flutter_manifest.dart		Loading commit data...
flutter_plugins.dart		Loading commit data...
flutter_project_metadata.dart		Loading commit data...
globals.dart		Loading commit data...
html_utils.dart		Loading commit data...
http_host_validator.dart		Loading commit data...
license_collector.dart		Loading commit data...
mdns_discovery.dart		Loading commit data...
native_assets.dart		Loading commit data...
persistent_tool_state.dart		Loading commit data...
platform_plugins.dart		Loading commit data...
plugins.dart		Loading commit data...
pre_run_validator.dart		Loading commit data...
preview_device.dart		Loading commit data...
project.dart		Loading commit data...
project_validator.dart		Loading commit data...
project_validator_result.dart		Loading commit data...
protocol_discovery.dart		Loading commit data...
proxy_validator.dart		Loading commit data...
resident_devtools_handler.dart		Loading commit data...
resident_runner.dart		Loading commit data...
run_cold.dart		Loading commit data...
run_hot.dart		Loading commit data...
sksl_writer.dart		Loading commit data...
template.dart		Loading commit data...
tracing.dart		Loading commit data...
version.dart		Loading commit data...
vmservice.dart		Loading commit data...
xcode_project.dart		Loading commit data...

Download source code

Download this directory