What is a Content Security Policy?
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware. For more information, check out this article on the Mozilla Developer Network.
HOOPS Communicator is compatible with CSP, however, because we use WebAssembly, there are some special setup requirements.
Configuring CSP with the HOOPS Communicator Web Viewer
Once you’ve configured CSP on your web server and you’ve added policy directives to your web page, you’re going to see this error:
To clear this error, you’re going to need to add the following policy:
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval'">
One of the main advantages of CSP is protection against inline script execution and calls to the JavaScript eval() and function() routines, so this is not generally recommended and we strongly recommended that you also include other directives such as only loading JavaScript from a trusted domain, using SSL, and adding directives to only load resources of HTTPS. For more info, see here.
WebAssembly and Content Security Policy
WebAssembly requires the JavaScript eval() function to run properly but there is a proposal on the table to create a special WebAssembly directive called “wasm-unsafe-eval” that would allow WebAssembly to run correctly, but not require the user to allow all eval calls on the web application. You can read more about that proposal https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md