Interface CspSupport
Content Security Policy (CSP)
Content Security Policy (CSP) and Component Frameworks
The browser Content Security Policy mechanism includes script-src directives such as 'unsafe-eval' and 'unsafe-inline' that restrict the use of eval(), new Function(), inline event handlers, and dynamic script loading. These restrictions were introduced to mitigate injection attacks in applications where untrusted user input is carelessly concatenated into executable code — a class of vulnerability that arises primarily from naive application-level coding practices, not from the use of mature, security-audited frameworks.
Smart GWT does not currently support running under a CSP policy that disables unsafe-eval or unsafe-inline. This is a deliberate architectural decision, not an oversight. The sections below explain why.
Why CSP Provides No Meaningful Security Benefit for Component Frameworks
CSP's script-src directives were designed to protect against a specific threat: an attacker who can inject a string into an HTML page such that it is executed as code. This threat is real when application developers use patterns like:
element.innerHTML = "<img onerror='steal(document.cookie)' src=x>";
eval("processData(" + userInput + ")");
In a Smart GWT application, developers do not write code like this. The framework manages all DOM rendering, event handling, and server communication through controlled internal pathways. User-supplied data flows through typed DataSource fields, validated both client- and server-side, and is never interpolated into executable contexts. The attack surface that CSP was designed to close simply does not exist in a properly built Smart GWT application.
Smart GWT has been deployed by major banks, defense contractors, intelligence agencies, and financial institutions worldwide for over two decades, passing hundreds of independent security audits, with no history of meaningful injection exploits against the framework itself. This real-world security track record is far more significant than compliance with a header that addresses an inapplicable threat model.
Most Advanced Frameworks Cannot Fully Support CSP
Smart GWT is not unusual in this regard. The more capable and feature-rich a JavaScript framework is, the more likely it is to rely on dynamic code generation for core functionality. Among major frameworks:
- Vue.js and Ember.js: Both rely on dynamic template compilation at runtime, which requires
unsafe-eval. Avoiding it requires a precompilation build step that eliminates runtime template compilation entirely, meaning templates cannot be composed or modified dynamically at runtime. - Angular: The JIT (Just-In-Time) compiler requires
unsafe-eval. The AOT (Ahead-Of-Time) mode avoids it, but at the cost of eliminating dynamic template compilation, requiring a heavyweight precompilation build, and producing larger deployment bundles. Many Angular libraries and plugins still assume JIT availability. - Ext JS / Sencha: Uses dynamic code generation extensively for templates, formulas, and data binding, and does not fully support strict CSP.
Frameworks that do claim full CSP support tend to be either much simpler (providing no comparable dynamic features), or they achieve compatibility only through a precompilation step that sacrifices the ability to compose, modify, or generate UI definitions at runtime. Every framework that has undertaken CSP compatibility documents resulting performance penalties, increased bundle sizes, and reduced runtime capabilities.
Capabilities and Performance Lost Under CSP Restrictions
Smart GWT uses eval(), new Function(), and related facilities for their intended purpose: high-performance code generation, powerful dynamic features, and runtime flexibility. These are not naive uses of dangerous APIs — they are deliberate architectural choices that deliver significant value. Disabling them would degrade or eliminate the following capabilities:
User-Defined Formula Fields, Summary Fields, and Dynamic Properties
End users can define calculated grid columns using spreadsheet-like formula expressions (e.g., A + B * 0.1) and summary templates (e.g., #{lastName}, #{firstName}). These are compiled into JavaScript functions for evaluation on every grid row. Dynamic Properties use the same mechanism: a component property value can be computed from data values and other application context via a UserFormula or UserSummary expression — for example, deriving a grid column's title from a formula like ruleScope.currentUser.region. Without dynamic code generation, none of these user-defined function capabilities would be available.
Server Communication Performance
Smart GWT uses an optimized pseudo-JSON serialization format for server responses that supports JavaScript Date constructors and other non-strict-JSON constructs. Deserializing these responses falls back to eval() when JSON.parse() cannot handle the format. Under CSP restrictions, every server response would need to use strict JSON, requiring additional server-side serialization overhead and client-side date reconstruction, measurably slowing all DataSource operations.
The Smart GWT Developer Console is a powerful debugging tool that allows developers to evaluate arbitrary JavaScript expressions against live application state, inspect component trees, watch DataSource traffic, and profile performance. All of this depends on dynamic code evaluation. Without it, the single most important tool for diagnosing issues in running Smart GWT applications would be non-functional.
Reify (Low Code Visual Builder)
Reify enables visual, drag-and-drop application construction that generates Smart GWT component trees from declarative screen definitions. Screens loaded from the server (via RPCManager.loadScreen() and RPCManager.createScreen()) are instantiated by evaluating their JavaScript representation at runtime. CSP restrictions would make it impossible to load or create screens dynamically, defeating the purpose of the tool.
AI Integration and AI-Generated Components
Smart GWT's AI features allow natural-language operations like filtering grids, adding calculated columns, and generating entire data-bound components from user descriptions. The AI engine produces JavaScript component definitions that must be dynamically evaluated to create live UI. Chain-of-Thought prompt templates also use dynamic expression evaluation for variable interpolation. These features are fundamentally incompatible with CSP eval restrictions.
The FileLoader and Dynamic Module Loading
FileLoader supports background loading and caching of JavaScript and CSS resources to optimize application startup time. The scriptInclude RPC transport enables cross-domain communication by dynamically injecting <script> tags. Both mechanisms are restricted under strict CSP policies.
Internal Performance Optimizations
Throughout the framework, new Function() is used to generate optimized accessor functions, criteria evaluators, and serialization routines. These dynamically compiled functions are significantly faster than interpreted alternatives because the JavaScript engine can JIT-compile them with full optimization. Replacing them with generic, data-driven alternatives would produce measurably slower execution across many hot code paths, including DataSource filtering, record validation, grid rendering, and sort operations.
Effective Alternatives to CSP for Application Security
Rather than crippling the framework to comply with a policy that addresses an inapplicable threat, organizations concerned about application-level code quality have several effective alternatives:
- Static analysis: Tools like ESLint (and dozens of alternatives) can enforce rules that prohibit
eval()and similar patterns in application-level code, which is where injection risks actually originate. - Strict mode: JavaScript
"use strict"prevents certain unsafe patterns at the language level. - TypeScript and ES6+ tooling: Type checking and module systems used for application code naturally prevent the string-interpolation patterns that lead to injection vulnerabilities. Smart GWT has excellent
TypeScript support. - Code review: Security-sensitive organizations already mandate code review, which catches injection patterns far more reliably than blunt runtime restrictions that also disable legitimate framework functionality.
These approaches target the actual source of risk — application code written by developers who may be inexperienced with security — without degrading the capabilities of battle-tested framework code.
Official Stance and Feature Sponsorship
Smart GWT does not plan to add CSP unsafe-eval compatibility to its roadmap, because doing so would mean permanently maintaining a crippled, slower variant of the framework with no genuine security benefit.
However, for customers who face an intractable organizational requirement for CSP compliance, we offer the possibility of creating a restricted mode through our Feature Sponsorship program. Such an effort would produce a version of the framework that can run under unsafe-eval restrictions, with the following caveats:
- A significant subset of features (including the Developer Console, user-defined formula and summary fields, Dynamic Properties, Reify screen loading, AI-generated UI, the
scriptIncludetransport, and others) would be unavailable in this mode. - Server communication, DataSource operations, and component rendering would be measurably slower due to the elimination of dynamically compiled code paths.
- Certain browser-specific workarounds that currently use dynamic code generation would be removed, potentially introducing new edge-case bugs related to memory management and accessibility.
- The resulting restricted mode would not be backwards compatible with existing applications that use any of the affected features.
- Because the full-capability and restricted modes would need to be maintained in parallel, Feature Sponsorship for this work involves substantial initial and ongoing costs.
If your organization has this requirement, contact Isomorphic Software to discuss scope and sponsorship terms.