Keyboard shortcut code injection

Hello - I recently enabled keyboard shortcut on vaadin app (24). One of our google cloud armor rule blocks the request because it seems to contain javascript code. Are there any workaround so that Vaadin client doesn’t send javascript as payload to the backend?

The request payload looks like this.

{"csrfToken":"86ee871f-86e0-411a-8e04-00796d380444","rpc":[{"type":"event","node":1,"event":"keydown","data":{"event.shiftKey":false,"event.metaKey":false,"event.code":"KeyM","event.key":"m","(['KeyM'].indexOf(event.code) !== -1 || ['KeyM'].indexOf(event.key) !== -1) && !event.getModifierState('Shift') && event.getModifierState('Control') && !event.getModifierState('Alt') && !event.getModifierState('AltGraph') && !event.getModifierState('Meta') && (event.preventDefault() || true) && (event.stopPropagation() || true)":true,"event.isComposing":false,"(['Enter'].indexOf(event.code) !== -1 || ['Enter'].indexOf(event.key) !== -1) && !event.getModifierState('Shift') && !event.getModifierState('Control') && !event.getModifierState('Alt') && !event.getModifierState('AltGraph') && !event.getModifierState('Meta') && (event.stopPropagation() || true)":false,"event.ctrlKey":true,"event.repeat":false,"event.location":0,"event.altKey":false,"(['Escape','Esc'].indexOf(event.code) !== -1 || ['Escape','Esc'].indexOf(event.key) !== -1) && !event.getModifierState('Shift') && !event.getModifierState('Control') && !event.getModifierState('Alt') && !event.getModifierState('AltGraph') && !event.getModifierState('Meta') && (event.stopPropagation() || true)":false}}],"syncId":5,"clientId":5}

Thanks.

As far as I know there isn’t much you can do at the moment. That’s how currently ShortsCuts are build :/

No, there is simply not, so you need to configure the firewall to allow it. If firewall blocks this, the request handling will go unsync and Vaadin will resync frequently.

Thank you. I could be wrong, but this looks like allowing javascript inject at first glance. Could you please suggest or point out where I should look to understand how this works before opening up the firewall?

You can find the class here https://github.com/vaadin/flow/blob/a029658add2f0edc3681255eb7b235e713b1bc26/flow-server/src/main/java/com/vaadin/flow/component/ShortcutRegistration.java

Just noting that this is not limited to ShortCuts, if you use component.getElement().addEventListener(…) for some purpose and add event data, the same process will happen, here is an example from one of my add-ons

So if there would be such Firewall setting in use, some of the BeanTable’s key actions would not work, and forced resync would happen instead.

but this looks like allowing javascript inject at first glance
Vaadin does not run the JavaScript on server (with the exception of Charts SVG capture, which is using Node and JavaScript for that, but that is another matter). But anyway, there is no accidental possibility for this. You would need to install Node in production and in your application code specifically submit JavaScript to it for execution. So if someone is asking what is possible and what not, tell that.