FAQ: Can I use the Communicator Web Viewer with CSP Rules?

What is a Content Security Policy?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware. For more information, check out this article on the Mozilla Developer Network.

HOOPS Communicator is compatible with CSP, however, because we use WebAssembly, there are some special setup requirements.

Configuring CSP with the HOOPS Communicator Web Viewer

Once you’ve configured CSP on your web server and you’ve added policy directives to your web page, you’re going to see this error:

To clear this error, you’re going to need to add the following policy:

1<meta http-equiv="Content-Security-Policy" content="script-src 'wasm-unsafe-eval'">

One of the main advantages of CSP is protection against inline script execution and calls to the JavaScript eval() and function() routines, so we do not recommend using the directive “unsafe-eval” any longer as a previous version of this FAQ recommended (before there was an wasm specific directive). We strongly recommended that you also include other directives such as only loading JavaScript from a trusted domain, using SSL, and adding directives to only load resources over HTTPS. For more info, see here.