CSP Error: WebAssembly.instantiate blocked by unsafe-eval when using MPC-TSS signMessage in browser

Web3Auth Community General
1

I am implementing a wallet using Web3Auth MPC Core Kit (MPC-TSS). When I try to sign an EVM message with the coreKit instance (following the documentation example), the browser throws a CSP error and blocks the WebAssembly code.

The console shows like the image attached
It looks like the TSS libraries (@toruslabs/tss-dkls-lib for EVM / @toruslabs/tss-frost-lib for Solana) internally use eval() or new Function(), which is blocked under a strict CSP.

Expected Behavior

  • MPC-TSS signing should work in browser environments with standard or strict CSP.
  • The library should offer a CSP-safe WebAssembly build.

Actual Behavior

  • signMessage fails with CSP violation.

  • Only works if 'unsafe-eval' is added to CSP, which is not recommended in a wallet context.

  • Is adjusting CSP to allow 'unsafe-eval' recommended in a wallet context? (I don’t think so, due to security risks.)

  • What other supported solutions exist to make MPC-TSS signing work in browser-embedded wallets under CSP restrictions?

Screenshot 2025-08-24 at 23.26.37
Screenshot 2025-08-24 at 23.26.371098×328 64.8 KB

2

Thank you for your detailed report and for providing a screenshot of the error. Here’s a summary of your issue for the support team, along with some context and initial recommendations:

Issue Summary

  • SDK: Web3Auth MPC Core Kit (Core-Kit)
  • Platform: Browser (Web)
  • SDK Version: Not specified (please confirm if possible)
  • TSS Library: @toruslabs/tss-dkls-lib (EVM) / @toruslabs/tss-frost-lib (Solana)
  • Issue: When calling signMessage using the coreKit instance, the browser throws a CSP (Content Security Policy) error:
    • WebAssembly.instantiate blocked by unsafe-eval
    • The error points to use of eval() or new Function() within the TSS libraries, which is not allowed under a strict CSP.
  • Expected: MPC-TSS signing should work in browser environments with strict CSP (i.e., without requiring 'unsafe-eval').
  • Actual: Signing fails unless 'unsafe-eval' is added to CSP, which is not recommended for security reasons.

Screenshot Provided: Yes (shows the CSP violation in the console)

Key Questions from User

  • Is it recommended to allow 'unsafe-eval' in a wallet context? (User believes it is not, due to security risks.)
  • Are there supported solutions or workarounds to enable MPC-TSS signing in browsers under strict CSP?

Additional Details Needed (if available)

  • SDK Version: If you can share the specific version of @web3auth/mpc-core-kit and the TSS libraries in use, that would help the team reproduce and address the issue more precisely.
  • Initialization & Login Code: If your initialization or login code differs from the documentation, please provide a snippet.
  • CSP Policy: If you have a custom CSP header, sharing its configuration might help.

Initial Recommendations & Context

  • CSP and WebAssembly: Many cryptographic libraries (including some TSS implementations) use dynamic code generation (eval, new Function) for performance or compatibility, but this is incompatible with strict CSP settings.
  • Current Limitation: As of now, the TSS libraries used by Web3Auth (such as @toruslabs/tss-dkls-lib) are known to require 'unsafe-eval' in browser environments. This is a common limitation in many WebAssembly-based cryptographic libraries.
  • Security Best Practices: It is generally not recommended to enable 'unsafe-eval' in production wallet applications due to the increased attack surface.

References:

Proposed Solutions / Workarounds

  1. Check for CSP-Safe Builds: Currently, there is no official CSP-safe (no eval/new Function) build of the TSS libraries. If this is a blocking issue for your production use case, please specify so the team can prioritize or suggest alternatives.
  2. Alternative Environments: If strict CSP is required, you may need to implement signing in a more permissive environment (e.g., native app, backend, or service worker with relaxed CSP), or use a different signing approach until a CSP-safe build is available.
  3. Feature Request: If you need a CSP-safe build, please confirm so this can be escalated as a feature request.

Next Steps

  • Please confirm your SDK and TSS library versions.
  • If possible, provide your CSP header and a code snippet of the initialization.
  • The support team will review if a CSP-safe build is planned or if there are any recommended workarounds.

Thank you for raising this important security concern! Let us know if you have any further details or requirements, and we’ll keep you updated on progress or alternative solutions.

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours