Twitter Logo Follow us on Twitter
Project Information About this project

RAP 3.21 M1 - New and Noteworthy

Here's a list of the most noteworthy things in the RAP 3.21 M1 milestone build which is available for download since April 15, 2022.

Possibility to define Content Security Policy (CSP)

In this milestone, we added the ability to set a Content Security Policy (string with directives) to the RAP application. The implementation is based on the script nonce attribute, whereby only allowed scripts are executed.

Content-Security-Policy: script-src 'nonce-2726c7f26c'

A dynamically generated nonce value will be added at runtime. Use 'nonce-' in your script-src directive. Example of CSP:

script-src 'strict-dynamic' 'nonce-' http: https:; object-src 'none'; base-uri 'none';

For a workbench application, the CSP can be set in a new csp attribute of the entrypoint extension in plugin.xml. In other cases, use the new org.eclipse.rap.rwt.client.WebClient.CSP property when defining an entrypoint in the ApplicationConfiguration.

public class MyApplication implements ApplicationConfiguration {

  public void configure( Application application ) {
    Map properties = new HashMap();
    ...
    properties.put( WebClient.CSP, "script-src 'strict-dynamic' 'nonce-' http: https:; object-src 'none'; base-uri 'none';" );
    application.addEntryPoint( "/", MyApp.class, properties );
  }
}
    

Note: Without 'unsafe-eval' in your CSP script-src directive, the following RAP features will not work:

  • org.eclipse.swt.browser.Browser.execute(String)
  • org.eclipse.swt.browser.Browser.evaluate(String)
  • org.eclipse.swt.browser.Browser.evaluate(String, BrowserCallback)
  • org.eclipse.swt.browser.BrowserFunction
  • org.eclipse.rap.rwt.scripting.ClientListener
  • org.eclipse.rap.rwt.client.service.JavaScriptExecutor

JavaScript client improvements

Two major changes to the JavaScript client have been introduced. The UI and server push requests now use fetch instead of XHR. This allows us to intercept and process the redirect requests by the framwork. In order to support strict CSP, the property system of the JavaScript client has been reworked to eliminate the places where JavaScript is generated from strings.

Issues fixed