Content Security Policy (CSP) Implementation & Dynamic Imports Challenge

This topic move the discussion from github to the official meteor forum

Original Discussion: Content Security Policy 🛂 · meteor/meteor · Discussion #11591 · GitHub

Overview

This discussion consolidates ongoing conversations about implementing proper Content Security Policy (CSP) in Meteor applications. The community has identified a critical challenge: balancing CSP security best practices with Meteor’s current reliance on unsafe-eval for dynamic imports functionality.

Key Points from the Discussion

1. Original Proposal (August 2021)

• Upgrade existing browser-policy packages to use Helmet under the hood
• Wire up additional CSP options to avoid manual nonce generation
• Provide sensible defaults for developers

Related Issues:

• #9689 browser-policy package missing CSP2 and CSP3 directives
• #11424 Deprecate browser policy packages
• #10704 https://github.com/meteor/meteor/issues/10704

2. The Core Problem: Dynamic Imports vs unsafe-eval

Multiple community members have reported an ongoing conflict:

• Using Helmet and implementing CSP security best practices requires disallowing unsafe-eval
• However, Meteor’s dynamic import functionality currently generates unsafe-eval violations, making this impossible
• This creates a security compliance issue, as unsafe-eval is flagged as a significant security concern by:
  • Mozilla Observatory (https://observatory.mozilla.org/)
  • OWASP ZAP
  • Standard security scanners

3. The Workaround Issue

Current workarounds require developers to:

• Disable dynamic imports entirely (not practical for most applications)
• Accept lower security scores on security scanners (affecting trust and compliance)

4. Nonce-Based Solutions

Community research indicates:

• Nonce attributes do not permit scripts with unsafe-eval to run (https://csplite.com/csp/test152/)
• Some developers have explored blob+nonce workarounds, but no production implementations found

5. Impact on Meteor 3+

As noted by @storyteller (June 2024):

• This issue will become increasingly critical after Meteor 3.0 releases
• Security improvements to CSP packages should be prioritized for Meteor 3.1 or 3.2

Proposed Solutions Discussed

1. Modernize browser-policy packages with Helmet integration
2. Develop Meteor-specific CSP handling for better optimization
3. Solve the dynamic-import without unsafe-eval challenge (acknowledged as the most difficult aspect)
4. Use WebApp package for CSP configuration as an interim solution

Current Status (As of February 2026)

The community continues to seek:

• A practical solution that allows dynamic imports without unsafe-eval
• Investigation into how other frameworks (like webpack-based tools) handle this scenario
• Integration of Helmet into Meteor’s CSP packages for better defaults and flexibility

Related Discussions

• GitHub: BrowserPolicy.content.disallowEval() still gives 'unsafe-eval'
• Meteor forum: Improve default security with headers?