topic Re: Content Security Policy at 4.27 requires unsafe-eval? in ArcGIS JavaScript Maps SDK Questions

Content Security Policy at 4.27 requires unsafe-eval?

AnnaWilliams — Sat, 19 Aug 2023 12:05:52 GMT

This documentation Frequently Asked Questions | Overview | ArcGIS Maps SDK for JavaScript 4.27 | ArcGIS Developers implies that 'unsafe-eval' is not required in the Content Security Policy while 'wsam-usafe-eval' is required. When I remove 'unsafe-eval' from CSP I get an error in developer console on init.js line 34 saying it is blocked by CSP. The CSP does not allow the use of new Function. Is there a work around for this or do I need to include 'unsafe-eval' in my CSP?

!a("host-webworker") && a("host-browser") && (a.add("esri-csp-restrictions", ()=>{
try {
new Function
} catch {
return !0
}
return !1
}
),

Re: Content Security Policy at 4.27 requires unsafe-eval?

LaurenBoyd — Mon, 21 Aug 2023 23:52:47 GMT

Hi @AnnaWilliams -

When working with a vanilla ArcGIS JS SDK application, using 'wasm-unsafe-eval' by itself without 'unsafe-eval' works fine in the CSP directive. Are you working with a specific framework? Do you have more information on your error message or could you provide an example of what's not working?

Re: Content Security Policy at 4.27 requires unsafe-eval?

AnnaWilliams — Tue, 22 Aug 2023 09:39:53 GMT

Thank you for the reply! No special framework. It is a .NET 6 application using an on-premises ArcGIS Server with locally hosted version of the AMD modules via ArcGIS CDN.

The error appearing in the web brower's developer console, indicates a function that is contained in the JavaScript API's init.js file. This does not appear to be breaking anything in my application at this point I will have to do further testing to confirm.

You said your CSP directive worked fine does that mean you did not see any CSP errors in the developer console? or that despite the errors everything worked fine?

Re: Content Security Policy at 4.27 requires unsafe-eval?

AlexHaan-iWink — Fri, 24 Oct 2025 12:30:02 GMT

I know this is an old topic.

But this is exactly what I'm seeing now still.

This code is still present in the 4.34/init.js:

r("host-webworker")||r("host-browser")&&(r.add("esri-csp-restrictions",()=>{try{new Function}catch{return!0}return!1})

That 'new Function', though caught in a try/catch, still triggers a CSP error in the browser. And when CSP report is enabled, also creates log entries.

The map works just fine even when this occurs. Why even test whether there's CSP? What do you do differently when you've detected this? Just be CSP compatible. No unsafe-inline, no unsafe-eval.