CSP of using Sandpack

[WangJiaoJo]

Hi, team,
Does @codesandbox/sandpack need to be run with the CSP header ‘unsafe-eval’?
Thanks!

[WangJiaoJo]

We found it in the @codesandbox/react/dist/cjs, it has the ‘veal’ function which is blocked if there is no ‘unsafe-eval’ in the CSP header. Do you have any idea about this? Thanks!

[DeMoorJasper]

Yes in the previews we run eval quite a lot, otherwise there's not really a way to run user code... this only really applies to the preview afaik

[WangJiaoJo]

Hi, DeMoorJasper,
Thanks so much for your reply!
So the eval is normally used for running code on browsers and in Sandpack, it only will work for the preview, right? In this way, how do we make sure the code security?
Because we still need to add ‘unsafe-eval’ to the CSP headers in our web application to make the Sandpack work. Is there any solution that we can avoid this?
Thanks!

[WangJiaoJo]

And because the ‘unsafe-eval’ is not allowed in most applications, for these applications, is there any way we can use the Sandpack?
Thanks!