Map server does not work with clients that correctly enforce CSP

**Describe the bug**

1. Try to use the map server on an app that correctly enforces the spec's CSP
2. You get an error, "Evaluating a string as JavaScript violates the following Content Security Policy directive because 'unsafe-eval' is not an allowed source of script: script-src 'self' 'unsafe-inline' https://*.openstreetmap.org https://cesium.com https://*.cesium.com"."

**To Reproduce**

See above

**Expected behavior**

It should work

**Logs**
If applicable, add logs to help explain your problem.

**Additional context**

Basically the same as https://github.com/modelcontextprotocol/ext-apps/issues/199

Per spec, unsafe-eval should not be allowed https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/2026-01-26/apps.mdx#4-content-security-policy-enforcement


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Map server does not work with clients that correctly enforce CSP #374

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Map server does not work with clients that correctly enforce CSP #374

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions