RAP 3.21 is here with improved security and a new source code home

As part of Eclipse 2022-06 last week we released RAP 3.21. The highlights of this release are:

Possibility to define the Content Security Policy (CSP)

We added the ability to set a Content Security Policy (a string with directives) to the RAP application. The implementation is based on the script nonce attribute, whereby only allowed scripts are executed.

Content-Security-Policy: script-src 'nonce-2726c7f26c'

A dynamically generated nonce value will be added at runtime. Use ’nonce-’ in your script-src directive. Example of a CSP:

script-src 'strict-dynamic' 'nonce-' http: https:; object-src 'none'; base-uri 'none';

For a workbench application, the CSP can be set in a new csp attribute of the entrypoint extension in plugin.xml. In other cases, use the new org.eclipse.rap.rwt.client.WebClient.CSP property when defining an entrypoint in the ApplicationConfiguration.

public class MyApplication implements ApplicationConfiguration {

  public void configure( Application application ) {
    Map properties = new HashMap();
    ...
    properties.put( WebClient.CSP, "script-src 'strict-dynamic' 'nonce-' http: https:; object-src 'none'; base-uri 'none';" );
    application.addEntryPoint( "/", MyApp.class, properties );
  }
}

Note: Without 'unsafe-eval' in your CSP script-src directive, the following RAP features will not work:

• org.eclipse.swt.browser.Browser.execute(String)
• org.eclipse.swt.browser.Browser.evaluate(String)
• org.eclipse.swt.browser.Browser.evaluate(String, BrowserCallback)
• org.eclipse.swt.browser.BrowserFunction
• org.eclipse.rap.rwt.scripting.ClientListener
• org.eclipse.rap.rwt.client.service.JavaScriptExecutor

JavaScript client improvements

Two major changes to the JavaScript client have been introduced. The UI and server push requests now use fetch instead of XHR. This allows us to intercept and process the redirect requests by the framework. In order to support strict CSP, the property system of the JavaScript client has been reworked to eliminate the places where JavaScript is generated from strings.

Migration to GitHub

The Eclipse RAP project is now using GitHub for source code and issue tracking instead of Gerrit and Bugzilla.

Instead of Gerrit, we will do our development via GitHub from now on. Under the new Eclipse RAP organisation, the previous Git repositories with all branches and tags can now be found there, whereby the main development is now done in the main instead of the master branch. The old Gerrit repositories will remain in read-only mode and will no longer be updated.

The same applies to issue tracking: For our future work, we will use GitHub issues only. Old bugs remain in Bugzilla, but new ones should only be created as GitHub issues for the Eclipse RAP projects.

All relevant build jobs have been updated, and our dedicated Jenkins instance remains the same.

If you need support for your RAP-based application, check our developer support offering or contact us to discuss your use case!