Select to view content in your preferred language

Content Security Policy at 4.27 requires unsafe-eval?

08-19-2023 05:05 AM
New Contributor II

This documentation Frequently Asked Questions | Overview | ArcGIS Maps SDK for JavaScript 4.27 | ArcGIS Developers implies that 'unsafe-eval' is not required in the Content Security Policy while 'wsam-usafe-eval' is required.  When I remove 'unsafe-eval' from CSP I get an error in developer console on init.js line 34 saying it is blocked by CSP.  The CSP does not allow the use of new Function.  Is there a work around for this or do I need to include 'unsafe-eval' in my CSP?

!a("host-webworker") && a("host-browser") && (a.add("esri-csp-restrictions", ()=>{
try {
new Function
} catch {
return !0
return !1

0 Kudos
2 Replies
Esri Contributor

Hi @AnnaWilliams -

When working with a vanilla ArcGIS JS SDK application, using 'wasm-unsafe-eval' by itself without 'unsafe-eval' works fine in the CSP directive. Are you working with a specific framework? Do you have more information on your error message or could you provide an example of what's not working?

0 Kudos
New Contributor II

Thank you for the reply!  No special framework.  It is a .NET 6 application using an on-premises ArcGIS Server with locally hosted version of the AMD modules via ArcGIS CDN.  

The error appearing in the web brower's developer console, indicates a function that is contained in the JavaScript API's init.js file.  This does not appear to be breaking anything in my application at this point I will have to do further testing to confirm.  

You said your CSP directive worked fine does that mean you did not see any CSP errors in the developer console?  or that despite the errors everything worked fine?


0 Kudos