...
HOOPS Communicator is compatible with CSP, however, because we use WebAssembly, there are some special setup requirements.
...
Learn more about configuring CSP with the HOOPS Communicator Web Viewer
...
Once you’ve configured CSP on your web server and you’ve added policy directives to your web page, you’re going to see this error:
...
To clear this error, you’re going to need to add the following policy:
Code Block | ||
---|---|---|
| ||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval'"> |
Note |
---|
One of the main advantages of CSP is protection against inline script execution and calls to the JavaScript eval() and function() routines, so this is not generally recommended and we strongly recommended that you also include other directives such as only loading JavaScript from a trusted domain, using SSL, and adding directives to only load resources over HTTPS. For more info, see here. |
WebAssembly and Content Security Policy
WebAssembly requires the JavaScript eval() function to run properly but there is a proposal on the table to create a special WebAssembly directive called “wasm-unsafe-eval” that would allow WebAssembly to run correctly, but not require the user to allow all eval calls on the web application. You can read more about that proposal https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md in our forum post.