Skip to content

[web] Add 'nonce' prop to flutter.js loadEntrypoint#137204

Merged
auto-submit[bot] merged 2 commits intoflutter:masterfrom
ditman:hoist-web-nonce
Oct 27, 2023
Merged

[web] Add 'nonce' prop to flutter.js loadEntrypoint#137204
auto-submit[bot] merged 2 commits intoflutter:masterfrom
ditman:hoist-web-nonce

Conversation

@ditman
Copy link
Member

@ditman ditman commented Oct 25, 2023

Description

This PR adds a nonce parameter to flutter.js' loadEntrypoint method.

When set, loadEntrypoint will add a nonce attribute to the main.dart.js script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add 'self' as a valid source for script-src.

CSP directive

After this change, the CSP directive for a Flutter Web index.html can be:

script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';

When CSP is set via a meta tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: worker-src 'self';

When CSP set via response headers, the CSP that applies to flutter_service_worker.js is determined by its response headers. See Web Workers API > Content security policy in MDN.)

Initialization

If the CSP is set to disallow script-src 'self', a nonce needs to also be passed to loadEntrypoint:

  _flutter.loader.loadEntrypoint({
    nonce: 'SOME_NONCE',
    onEntrypointLoaded: (engineInitializer) async {
      const appRunner = await engineInitializer.initializeEngine({
        nonce: 'SOME_NONCE',
      });
      appRunner.runApp();
    },
  });

(nonce shows twice for now, because the entrypoint loader script doesn't have direct access to the initializeEngine call.)

Tests

  • Added a smoke test to ensure an app configured as described above starts.

Issues

Pre-launch Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • I read the Tree Hygiene wiki page, which explains my responsibilities.
  • I read and followed the Flutter Style Guide, including Features we expect every widget to implement.
  • I signed the CLA.
  • I listed at least one issue that this PR fixes in the description above.
  • I updated/added relevant documentation (doc comments with ///).
  • I added new tests to check the change I am making, or this PR is test-exempt.
  • All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

@github-actions github-actions bot added the tool Affects the "flutter" command-line tool. See also t: labels. label Oct 25, 2023
@ditman ditman removed the request for review from jacobsimionato October 25, 2023 06:52
@ditman
Copy link
Member Author

ditman commented Oct 25, 2023

/cc @eyebrowsoffire this is the change I wanted to make to flutter.js before it moves to the engine.

/cc @jacobsimionato LMK if the API is acceptable. Repeating the nonce is not great, but all the alternatives (that I can think of) require some ugly hacking :S

@jacobsimionato jacobsimionato self-requested a review October 26, 2023 01:13
jacobsimionato
jacobsimionato approved these changes Oct 26, 2023
View reviewed changes
Copy link
Contributor

@jacobsimionato jacobsimionato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Re the duplication: yep it'd be great to remove when possible, but for now we have wrappers around this anyway, so we can just set the nonce in two places in a way that clients won't have to worry about.

eyebrowsoffire
eyebrowsoffire approved these changes Oct 27, 2023
View reviewed changes
Copy link
Contributor

@eyebrowsoffire eyebrowsoffire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ditman
Copy link
Member Author

ditman commented Oct 27, 2023

Thanks for the reviews! Let's land this so internal customers get unblocked!

@ditman ditman added the autosubmit Merge PR when tree becomes green via auto submit App label Oct 27, 2023
@auto-submit auto-submit bot merged commit 15ccf24 into flutter:master Oct 27, 2023
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Oct 28, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Oct 28, 2023
@engine-flutter-autoroll
15ccf24 [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/…
8da58c5 
…flutter#137204)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Oct 28, 2023
Merged
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Oct 28, 2023
@engine-flutter-autoroll
15ccf24 [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/…
b094de0 
…flutter#137204)
auto-submit bot pushed a commit to flutter/packages that referenced this pull request Oct 28, 2023
@engine-flutter-autoroll
Roll Flutter from 5907c97 to a4ec627 (18 revisions) (#5255)
fe4c86b 
flutter/flutter@5907c97...a4ec627

2023-10-28 [email protected] Roll Flutter Engine from f5fbd9cd60c6 to 84dcb4fb9301 (1 revision) (flutter/flutter#137468)
2023-10-28 [email protected] Roll Flutter Engine from 03de8a41995b to f5fbd9cd60c6 (2 revisions) (flutter/flutter#137467)
2023-10-28 [email protected] Instrument more disposables. (flutter/flutter#137309)
2023-10-28 [email protected] TextPainter should dispatch creation and disposal events. (flutter/flutter#137416)
2023-10-28 [email protected] Roll Flutter Engine from a76821199d9d to 03de8a41995b (2 revisions) (flutter/flutter#137464)
2023-10-28 [email protected] Roll Flutter Engine from f1e30b4b9f27 to a76821199d9d (3 revisions) (flutter/flutter#137462)
2023-10-28 [email protected] Roll Flutter Engine from 7e2aa68b2f27 to f1e30b4b9f27 (2 revisions) (flutter/flutter#137461)
2023-10-27 [email protected] Roll Flutter Engine from 513e007ed682 to 7e2aa68b2f27 (1 revision) (flutter/flutter#137460)
2023-10-27 [email protected] Roll Flutter Engine from 32bb5b057c86 to 513e007ed682 (3 revisions) (flutter/flutter#137457)
2023-10-27 [email protected] Roll Flutter Engine from f2ec263cebf9 to 32bb5b057c86 (1 revision) (flutter/flutter#137452)
2023-10-27 49699333+dependabot[bot]@users.noreply.github.com Bump github/codeql-action from 2.22.4 to 2.22.5 (flutter/flutter#137450)
2023-10-27 [email protected] Roll Flutter Engine from 453a04dbf891 to f2ec263cebf9 (2 revisions) (flutter/flutter#137449)
2023-10-27 [email protected] [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/flutter#137204)
2023-10-27 [email protected] Roll Flutter Engine from 1e66c0ae7bda to 453a04dbf891 (1 revision) (flutter/flutter#137446)
2023-10-27 [email protected] Provide exception for listing an issue. (flutter/flutter#137092)
2023-10-27 [email protected] Roll Flutter Engine from 0bba9eeb8f5d to 1e66c0ae7bda (1 revision) (flutter/flutter#137442)
2023-10-27 [email protected] Roll Flutter Engine from a198ad4e740d to 0bba9eeb8f5d (1 revision) (flutter/flutter#137437)
2023-10-27 [email protected] Bump goldctl in .ci.yaml (flutter/flutter#137441)

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/flutter-packages
Please CC [email protected],[email protected],[email protected] on the revert to ensure that a human
is aware of the problem.

To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose

To report a problem with the AutoRoller itself, please file a bug:
https://issues.skia.org/issues/new?component=1389291&template=1850622

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
@ditman ditman mentioned this pull request Nov 14, 2023
Merged
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Feb 16, 2024
@engine-flutter-autoroll
15ccf24 [web] Add 'nonce' prop to flutter.js loadEntrypoint (flutter/…
260e2d6 
…flutter#137204)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacobsimionato jacobsimionato jacobsimionato approved these changes

@eyebrowsoffire eyebrowsoffire eyebrowsoffire approved these changes

@mdebbar mdebbar Awaiting requested review from mdebbar

Assignees

No one assigned

Labels

autosubmit Merge PR when tree becomes green via auto submit App tool Affects the "flutter" command-line tool. See also t: labels.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add the ability to pass a CSP nonce to flutter.js that will be used when loading additional scripts

3 participants

@ditman @jacobsimionato @eyebrowsoffire