Hi all. I read here that this issue was fixed:
However, I am unable to have my csp exclude unsafe-eval without having an application error. The site will load for a moment, then crash. Is it possible at all to exclude this line from the CSP? I’m having no luck trying to figure this one out, and I’d really prefer not to have this vulnerability.
Thank you!
Hi, still wondering with Plasmic Loader NextJS / headless API v2, is unsafe-eval required? Or would there be something project-specific that is using unsafe-eval? Every time I remove unsafe-eval from the CSP, I get this set of errors:
”framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1 Error: PLASMIC: Failed to create function for render__aga-_3Bfmxca.js: EvalError: Evaluating a string as JavaScript violates the following Content Security Policy directive because ‘unsafe-eval’ is not an allowed source of script: script-src ‘self’ https://*.crisp.chat https://connect.facebook.net https://a.plasmic.app https://va.vercel-scripts.com".
at Registry.load (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:3698)
at tD.getComponent (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:14:3183)
at tW (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:17:5713)
at tJ (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:17:6313)
at ld (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:127328)
at i (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:188293)
at uI (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:167946)
at framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:167813
at uM (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:167820)
at ux (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:164572)
l5 @ framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1
l.componentDidCatch.n.callback @ framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1
…
main-1c5378701e26c60d.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1 Error: PLASMIC: Failed to create function for render__aga-_3Bfmxca.js: EvalError: Evaluating a string as JavaScript violates the following Content Security Policy directive because ‘unsafe-eval’ is not an allowed source of script: –
at Registry.load (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:3698)
at tD.getComponent (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:14:3183)
at tW (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:17:5713)
at tJ (642-c616a9a31ed53324.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:17:6313)
at ld (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:127328)
at i (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:188293)
at uI (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:167946)
at framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:167813
at uM (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:167820)
at ux (framework-874f90c722094369.js?dpl=dpl_4cBzTmNnbVYuycL7Bgm1Eu6MnuL8:1:164572)
On a fresher instance, it seems unsafe-eval is required:
”Error: PLASMIC: Failed to create function for render__e27EUqCgYrUE.js: EvalError: Evaluating a string as JavaScript violates the following Content Security Policy directive because ‘unsafe-eval’ is not an allowed source of script: script-src 'self’style-src ‘self’ ‘unsafe-inline’".”
Any solution appreciated - I’ve been suggested moving to codegen, though i’m apprehensive about that process just to tighten this bolt.
Hi @jvx4, currently as of Jan 2026, when using a CSP, unsafe-eval is required for loader since generated code will be evaluated dynamically. If not having unsafe-eval is an a requirement, switching to codegen would work.
@jason I see, thank you for the answer. Is there a guide on switching to codegen from loader
It shouldn’t be too hard to switch. Just follow the guides here: Codegen overview | Learn Plasmic