mirror of
https://github.com/flutter/flutter.git
synced 2026-02-20 02:29:02 +08:00
This PR adds a `nonce` JS configuration attribute so users can pass a nonce value to their flutter engine initialization code. This `nonce` is used to mark all scripts/styles needed by Flutter web that are considered `unsafe-inline` by CSP. In this change, there are only two tags that benefit from this: * canvaskit.js * inline styles for text editing Before this change, the most strict CSP that allows a Flutter Web app to run would look like: ``` script-src 'self' 'nonce-flutter-init-scripts' 'wasm-unsafe-eval' https://www.gstatic.com/flutter-canvaskit/; font-src https://fonts.gstatic.com; style-src 'unsafe-inline'; ``` After this change, CSP could be tightened to: ``` script-src 'self' 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval'; font-src https://fonts.gstatic.com; style-src 'nonce-YOUR_NONCE_VALUE'; ``` By initializing the Flutter web app with something like this: ```html <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval'; font-src https://fonts.gstatic.com; style-src 'nonce-YOUR_NONCE_VALUE';"> ... <script nonce="YOUR_NONCE_VALUE"> _flutter.loader.loadEntrypoint({ onEntrypointLoaded: async function(engineInitializer) { let appRunner = await engineInitializer.initializeEngine({ nonce: 'YOUR_NONCE_VALUE', }); appRunner.runApp(); } }); </script> ``` ## Issues Fixes https://github.com/flutter/flutter/issues/126977 (does not address `flutter.js`, that's a [different story](https://github.com/flutter/flutter/issues/128061)) Helps with https://github.com/flutter/flutter/issues/80221 --- [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style