Issue: Content Security Policy 'unsafe-eval' Conflict using HTML5 FMOD


I’m starting to build a frontend for a website that will use FMOD for audio.
For security purposes (and it looks like it is widely considered as a security best practice), I have turned off ‘unsafe-eval’ for all browser scripts.

But now the browser throws an error when calling FMODModule due to a function in fmod_reduced.js called createNamedFunction that is running some dynamic JS. (I’m currently using the wasm version)

After looking around for answers I found that you can turn off the generation of unsafe-eval-related JS in emcc by passing -s NO_DYNAMIC_EXECUTION=1, but according to this issue, it looks like later versions of Emscripten actually have removed use of eval.

Would it be a possibility to make this change in your HTML5 distribution?
In the meantime, I’m going to see if linking the static library with that flag could work.


Just wanted to follow up that linking to the static library with the -s NO_DYNAMIC_EXECUTION=1 flag isn’t working for the same reason.

Here are the error messages from Chrome’s console:

After some searching I found this MDN article that mentions that in order to use WebAssembly with a CSP header at all, you need to enable script-src 'wasm-unsafe-eval'.

After running the code with this header change, both Chrome and Safari threw an error mentioning that it could not load a blob from blob:http://localhost:<port><filename>. (I’m not sure if this is the .wasm file paired with the .js or not, because the filename was a GUID-like string of hex characters and dashes)

Anyway, setting the policy to script-src 'self' 'wasm-unsafe-eval' blob: it works now in both Chrome & Safari. (It also works with the pre-built fmod js)

1 Like