molstar unsafe-eval required when setting up CSP header

Is there any chance to fix the code being blocked by the CSP in future releases? https://web.dev/articles/csp?utm_source=devtools#unsafe-eval

We'd like to use Molstar but it goes against our SOC2 policies.

It would require removing instances of eval(), new Function(), setTimeout([string], …), and setInterval([string], ...)

🥺 🙏

May 29 '24 20:05 cmonnom

Yes, it would be possible. There are only few cases of new Function:

setImmediate polyfill -- can be just removed as we don't use the string callback here
string interpolate function
- Binding.format: this could be replaced by a simple .replace('${triggers}', ...)
- Swagger UI: this could be modified to use basic string "replace all" too.
model and volume server id -> path mapping. Could be implemented without both Function and interpolate

Perhaps you can make a PR with it?

May 30 '24 13:05 dsehnal

@cmonnom care to do a PR?

Jul 06 '24 19:07 arose

@cmonnom care to do a PR?

still happy to accept a PR

Nov 10 '24 18:11 arose

Sorry, I never saw your messages until now. I don't have the bandwidth to get into the weeds of Molstar. @dsehnal seems pretty well versed into what and where.

Sep 29 '25 12:09 cmonnom