Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware. For more information, check out this article on the Mozilla Developer Network.
HOOPS Communicator is compatible with CSP, however, because we use WebAssembly, there are some special setup requirements.
Configuring CSP with the HOOPS Communicator Web Viewer
Once you’ve configured CSP on your web server and you’ve added policy directives to your web page, you’re going to see this error:
One of the main advantages of CSP is protection against inline script execution and calls to the JavaScript eval() and function() routines, so we do not recommend using the directive “unsafe-eval” any longer as a previous version of this FAQ recommended (before there was an wasm specific directive). We strongly recommended that you also include other directives such as only loading JavaScript from a trusted domain, using SSL, and adding directives to only load resources over HTTPS. For more info, see here.
Hello, I am looking to tighten up my CSP rules and switch to the 'wasm-unsafe-eval' only option as suggested, however when I try this I get the hoops code rejected due to the use of window.eval.
Digging deeper it appears to relate to the 3DconnexionJS driver - there is a string that is evaluated to load some kind of driver.
I’m looking at HOOPS_Communicator_2025.5.0, in each of the hoops-web-viewer*.*js files
Can this eval be removed from hoops, and can you suggest a workaround in the meantime? I’ll have a go at deleting the code but that isn’t ideal.
Good to know thanks, is there a plan to resolve this dependency on eval? I would prefer to support use of spacemouse for customers who are used to using one.
Digging deeper, I’ve found several violations of eval requiring script-src: unsafe-eval, which makes me think perhaps I’m using the sdk incorrectly given this conflicts with the advice in the original post?
I’m looking at the js files in sdk path web_viewer, such as web_viewer/hoops-web-viewer.mjs, and I see several cases of manual function construction, e.g.
new Function("body", "return function " + a + `() {
"use strict"; return body.apply(this, arguments);
};
`)(c)
