Skip to content

Use pixi.js/unsafe-eval polyfills to remove unsafe-eval CSP requirement#1773

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/fix-unsafe-eval-bug
Draft

Use pixi.js/unsafe-eval polyfills to remove unsafe-eval CSP requirement#1773
Copilot wants to merge 4 commits intomainfrom
copilot/fix-unsafe-eval-bug

Conversation

Copy link

Copilot AI commented Feb 27, 2026
edited
Loading

Rapid requires unsafe-eval in the Content Security Policy because pixi.js v8 uses new Function() for dynamic code generation (uniform syncing, shader syncing, UBO sync, particle updates). iD does not have this requirement.

Change

pixi.js 8.x ships a pixi.js/unsafe-eval submodule that monkey-patches the relevant prototype methods with static polyfill equivalents, eliminating the new Function() calls entirely.

Import it at the top of GraphicsSystem.js before pixi.js initializes:

import 'pixi.js/unsafe-eval';
import * as PIXI from 'pixi.js';

This installs polyfills for:

  • GlUniformGroupSystem._generateUniformsSync
  • GlUboSystem._generateUboSync / GpuUboSystem._generateUboSync
  • GlShaderSystem._generateShaderSync
  • ParticleBuffer.generateParticleUpdate

Rapid now works under a strict script-src 'self' CSP with no unsafe-eval allowance.

Original prompt

This section details on the original issue you should resolve

<issue_title>Current environment does not allow unsafe-eval, please use pixi.js/unsafe-eval module to enable support.</issue_title>
<issue_description>### Description

Rapid requires an 'unsafe-eval' CSP flag, whereas iD does not. I don't believe it is necessary to require unsafe evaluations, and thus I consider this a bug.

Screenshots

No response

Version

2.5.2

What browser are you seeing the problem on? What version are you running?

Chrome v137

The OS you're using

No response

Steps to reproduce

Set the following response header:

content-security-policy: script-src 'self'

The browser URL at the time you encountered the bug

Unavailable

The auto-detected useragent string for your browser (leave blank if you're manually filling this form out)

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@meta-cla meta-cla bot added the cla signed label Feb 27, 2026
Copilot AI and others added 3 commits February 27, 2026 22:37
@jenningsanderson
Initial plan for CSP unsafe-eval fix
5c7f762 
Co-authored-by: jenningsanderson <1637425+jenningsanderson@users.noreply.github.com>
@jenningsanderson
Fix: Import pixi.js/unsafe-eval polyfills to support strict CSP envir…
4946a47 
…onments

Co-authored-by: jenningsanderson <1637425+jenningsanderson@users.noreply.github.com>
@jenningsanderson
Clean up unnecessary .gitignore entry
72b8731 
Co-authored-by: jenningsanderson <1637425+jenningsanderson@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix unsafe-eval requirement in current environment Use pixi.js/unsafe-eval polyfills to remove unsafe-eval CSP requirement Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jenningsanderson jenningsanderson

Copilot code review Copilot

Labels

cla signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Current environment does not allow unsafe-eval, please use pixi.js/unsafe-eval module to enable support.

2 participants

@jenningsanderson