firka/flutter
firka/flutter
4
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
flutter/dev
History
David Iglesias 15ccf24d79
[web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204) 
## Description

This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method.

When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`.

----

### CSP directive

After this change, the CSP directive for a Flutter Web index.html can be:

```
script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';
```

When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)

When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.)

----

### Initialization

If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`:

```javascript
  _flutter.loader.loadEntrypoint({
    nonce: 'SOME_NONCE',
    onEntrypointLoaded: (engineInitializer) async {
      const appRunner = await engineInitializer.initializeEngine({
        nonce: 'SOME_NONCE',
      });
      appRunner.runApp();
    },
  });
```

(`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.)

----

## Tests

* Added a smoke test to ensure an app configured as described above starts.

## Issues

* Fixes https://github.com/flutter/flutter/issues/126977
2023-10-27 21:05:06 +00:00
..
a11y_assessments
Add dependency on leak_tracker to flutter_test. (#137069)
2023-10-25 02:45:26 +00:00
automated_tests
Add dependency on leak_tracker to flutter_test. (#137069)
2023-10-25 02:45:26 +00:00
benchmarks
Add dependency on leak_tracker to flutter_test. (#137069)
2023-10-25 02:45:26 +00:00
bots
[web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204)
2023-10-27 21:05:06 +00:00
conductor
Roll pub packages (#136924)
2023-10-20 20:36:29 +00:00
customer_testing
Roll pub packages (#136924)
2023-10-20 20:36:29 +00:00
devicelab
Ensure Xcode project is setup to start debugger (#136977)
2023-10-25 17:08:57 +00:00
docs
update analytics in generate api docs site to use new UA4 (#136497)
2023-10-16 19:47:48 +00:00
forbidden_from_release_tests
Bump file,process,process_runner (#136418)
2023-10-12 13:05:24 -07:00
integration_tests
[web] Add 'nonce' prop to flutter.js loadEntrypoint (#137204)
2023-10-27 21:05:06 +00:00
manual_tests
Add dependency on leak_tracker to flutter_test. (#137069)
2023-10-25 02:45:26 +00:00
missing_dependency_tests
Enable private field promotion for dev (#134480)
2023-09-12 18:29:00 +00:00
snippets/config
Remove null-safety argument from DartPad doc samples (#127345)
2023-05-23 00:10:11 +00:00
tools
Add dependency on leak_tracker to flutter_test. (#137069)
2023-10-25 02:45:26 +00:00
tracing_tests
Add dependency on leak_tracker to flutter_test. (#137069)
2023-10-25 02:45:26 +00:00
analysis_options.yaml
README.md

README.md

This directory contains tools and resources that the Flutter team uses during the development of the framework. The tools in this directory should not be necessary for developing Flutter applications, though of course, they may be interesting if you are curious.

The tests in this directory are run in the framework_tests_misc-* shards.