This documentation Frequently Asked Questions | Overview | ArcGIS Maps SDK for JavaScript 4.27 | ArcGIS Developers implies that 'unsafe-eval' is not required in the Content Security Policy while 'wsam-usafe-eval' is required. When I remove 'unsafe-eval' from CSP I get an error in developer console on init.js line 34 saying it is blocked by CSP. The CSP does not allow the use of new Function. Is there a work around for this or do I need to include 'unsafe-eval' in my CSP?
!a("host-webworker") && a("host-browser") && (a.add("esri-csp-restrictions", ()=>{
try {
new Function
} catch {
return !0
}
return !1
}
),
Hi @AnnaWilliams -
When working with a vanilla ArcGIS JS SDK application, using 'wasm-unsafe-eval' by itself without 'unsafe-eval' works fine in the CSP directive. Are you working with a specific framework? Do you have more information on your error message or could you provide an example of what's not working?
Thank you for the reply! No special framework. It is a .NET 6 application using an on-premises ArcGIS Server with locally hosted version of the AMD modules via ArcGIS CDN.
The error appearing in the web brower's developer console, indicates a function that is contained in the JavaScript API's init.js file. This does not appear to be breaking anything in my application at this point I will have to do further testing to confirm.
You said your CSP directive worked fine does that mean you did not see any CSP errors in the developer console? or that despite the errors everything worked fine?
I know this is an old topic.
But this is exactly what I'm seeing now still.
This code is still present in the 4.34/init.js:
r("host-webworker")||r("host-browser")&&(r.add("esri-csp-restrictions",()=>{try{new Function}catch{return!0}return!1})
That 'new Function', though caught in a try/catch, still triggers a CSP error in the browser. And when CSP report is enabled, also creates log entries.
The map works just fine even when this occurs. Why even test whether there's CSP? What do you do differently when you've detected this? Just be CSP compatible. No unsafe-inline, no unsafe-eval.
