Skip to content

[web] Add 'nonce' prop to flutter.js loadEntrypoint #137204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
auto-submit merged 2 commits into from
Oct 27, 2023
Merged

[web] Add 'nonce' prop to flutter.js loadEntrypoint #137204

auto-submit merged 2 commits into from
Oct 27, 2023

Conversation

@ditman
Copy link
Member

@ditman ditman commented Oct 25, 2023

Description

This PR adds a nonce parameter to flutter.js' loadEntrypoint method.

When set, loadEntrypoint will add a nonce attribute to the main.dart.js script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add 'self' as a valid source for script-src.

CSP directive

After this change, the CSP directive for a Flutter Web index.html can be:

script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';

When CSP is set via a meta tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: worker-src 'self';

When CSP set via response headers, the CSP that applies to flutter_service_worker.js is determined by its response headers. See Web Workers API > Content security policy in MDN.)

Initialization

If the CSP is set to disallow script-src 'self', a nonce needs to also be passed to loadEntrypoint:

  _flutter.loader.loadEntrypoint({
    nonce: 'SOME_NONCE',
    onEntrypointLoaded: (engineInitializer) async {
      const appRunner = await engineInitializer.initializeEngine({
        nonce: 'SOME_NONCE',
      });
      appRunner.runApp();
    },
  });

(nonce shows twice for now, because the entrypoint loader script doesn't have direct access to the initializeEngine call.)

Tests

  • Added a smoke test to ensure an app configured as described above starts.

Issues

Pre-launch Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • I read the Tree Hygiene wiki page, which explains my responsibilities.
  • I read and followed the Flutter Style Guide, including Features we expect every widget to implement.
  • I signed the CLA.
  • I listed at least one issue that this PR fixes in the description above.
  • I updated/added relevant documentation (doc comments with ///).
  • I added new tests to check the change I am making, or this PR is test-exempt.
  • All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

@github-actions github-actions bot added the tool Affects the "flutter" command-line tool. See also t: labels. label Oct 25, 2023
@ditman ditman removed the request for review from jacobsimionato October 25, 2023 06:52
@ditman
Copy link
Member Author

ditman commented Oct 25, 2023

/cc @eyebrowsoffire this is the change I wanted to make to flutter.js before it moves to the engine.

/cc @jacobsimionato LMK if the API is acceptable. Repeating the nonce is not great, but all the alternatives (that I can think of) require some ugly hacking :S

@jacobsimionato jacobsimionato self-requested a review October 26, 2023 01:13
jacobsimionato
jacobsimionato approved these changes Oct 26, 2023
View reviewed changes
Copy link
Contributor

@jacobsimionato jacobsimionato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Re the duplication: yep it'd be great to remove when possible, but for now we have wrappers around this anyway, so we can just set the nonce in two places in a way that clients won't have to worry about.

eyebrowsoffire
eyebrowsoffire approved these changes Oct 27, 2023
View reviewed changes
Copy link
Contributor

@eyebrowsoffire eyebrowsoffire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ditman
Copy link
Member Author

ditman commented Oct 27, 2023

Thanks for the reviews! Let's land this so internal customers get unblocked!

@ditman ditman added the autosubmit Merge PR when tree becomes green via auto submit App label Oct 27, 2023
@auto-submit auto-submit bot merged commit 15ccf24 into flutter:master Oct 27, 2023
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Oct 28, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Oct 28, 2023
@engine-flutter-autoroll
15ccf24 [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/…
8da58c5 
…flutter#137204)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Oct 28, 2023
Merged
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Oct 28, 2023
@engine-flutter-autoroll
15ccf24 [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/…
b094de0 
…flutter#137204)
auto-submit bot pushed a commit to flutter/packages that referenced this pull request Oct 28, 2023
@engine-flutter-autoroll
Roll Flutter from 5907c97 to a4ec627 (18 revisions) (#5255)
fe4c86b 
flutter/flutter@5907c97...a4ec627

2023-10-28 [email protected] Roll Flutter Engine from f5fbd9cd60c6 to 84dcb4fb9301 (1 revision) (flutter/flutter#137468)
2023-10-28 [email protected] Roll Flutter Engine from 03de8a41995b to f5fbd9cd60c6 (2 revisions) (flutter/flutter#137467)
2023-10-28 [email protected] Instrument more disposables. (flutter/flutter#137309)
2023-10-28 [email protected] TextPainter should dispatch creation and disposal events. (flutter/flutter#137416)
2023-10-28 [email protected] Roll Flutter Engine from a76821199d9d to 03de8a41995b (2 revisions) (flutter/flutter#137464)
2023-10-28 [email protected] Roll Flutter Engine from f1e30b4b9f27 to a76821199d9d (3 revisions) (flutter/flutter#137462)
2023-10-28 [email protected] Roll Flutter Engine from 7e2aa68b2f27 to f1e30b4b9f27 (2 revisions) (flutter/flutter#137461)
2023-10-27 [email protected] Roll Flutter Engine from 513e007ed682 to 7e2aa68b2f27 (1 revision) (flutter/flutter#137460)
2023-10-27 [email protected] Roll Flutter Engine from 32bb5b057c86 to 513e007ed682 (3 revisions) (flutter/flutter#137457)
2023-10-27 [email protected] Roll Flutter Engine from f2ec263cebf9 to 32bb5b057c86 (1 revision) (flutter/flutter#137452)
2023-10-27 49699333+dependabot[bot]@users.noreply.github.com Bump github/codeql-action from 2.22.4 to 2.22.5 (flutter/flutter#137450)
2023-10-27 [email protected] Roll Flutter Engine from 453a04dbf891 to f2ec263cebf9 (2 revisions) (flutter/flutter#137449)
2023-10-27 [email protected] [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/flutter#137204)
2023-10-27 [email protected] Roll Flutter Engine from 1e66c0ae7bda to 453a04dbf891 (1 revision) (flutter/flutter#137446)
2023-10-27 [email protected] Provide exception for listing an issue. (flutter/flutter#137092)
2023-10-27 [email protected] Roll Flutter Engine from 0bba9eeb8f5d to 1e66c0ae7bda (1 revision) (flutter/flutter#137442)
2023-10-27 [email protected] Roll Flutter Engine from a198ad4e740d to 0bba9eeb8f5d (1 revision) (flutter/flutter#137437)
2023-10-27 [email protected] Bump goldctl in .ci.yaml (flutter/flutter#137441)

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/flutter-packages
Please CC [email protected],[email protected],[email protected] on the revert to ensure that a human
is aware of the problem.

To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose

To report a problem with the AutoRoller itself, please file a bug:
https://issues.skia.org/issues/new?component=1389291&template=1850622

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
@ditman ditman mentioned this pull request Nov 14, 2023
Merged
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Feb 16, 2024
@engine-flutter-autoroll
15ccf24 [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/…
260e2d6 
…flutter#137204)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacobsimionato jacobsimionato jacobsimionato approved these changes

@eyebrowsoffire eyebrowsoffire eyebrowsoffire approved these changes

@mdebbar mdebbar Awaiting requested review from mdebbar

Assignees

No one assigned

Labels

autosubmit Merge PR when tree becomes green via auto submit App tool Affects the "flutter" command-line tool. See also t: labels.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add the ability to pass a CSP nonce to flutter.js that will be used when loading additional scripts

3 participants

@ditman @jacobsimionato @eyebrowsoffire