laz-perf does not work with Content Security Policy preventing unsafe eval

Summary

laz-perf uses WASM generated with Emscripten, which emits some JS code that makes use of dynamic evaluation such as eval() and Function. Dynamic execution is a security issue and disabled by Content Security Policy.

See laz-perf issue: https://github.com/hobuinc/laz-perf/issues/158

There is nothing to do directly in Giro3D, except updating laz-perf and copc when they are updated.

Steps to reproduce

Serve a Giro3D app with the following CSPs: default-src 'self'.

Expected behaviour:

Point cloud loading work fine.

Actual behaviour:

The browser refuses to load the laz-perf library:

Informations

Giro3D version: 0.41
Browser (Firefox, Chrome, Opera, Safari...) and version: N/A
OS (Linux, MacOS, Windows...) N/A

Edited Feb 08, 2025 by Sébastien Guimmara