Describe the bug
This is a similar issue as #618 , except the warning is thrown from from AJV instead of Zod . It uses the new Function() constructor which is equivalent to eval .
https://github.com/ajv-validator/ajv/blob/f177fe323420ccb23e1a79445fd470cbf80aee7c/lib/compile/index.ts#L171
The @modelcontextprotocol/sdk@1.29.0 dependency uses AJV 8 (ajv@^8.17.1) to validate JSON schemas at runtime. AJV 8 generates validator functions by calling new Function() (equivalent to eval)
This throws an error when running MCP apps in MCP app hosts that implements CSP policies, including Goose 1.33.1 and Cursor Version: 3.2.16 (Universal)
Unfortunately unlike Zod, there isn't a runtime flag for disabling the constructor, so removing this warning log is more involved.
To Reproduce
- Open any app that uses the
ext-apps SDK @1.7.1, and check the developer tools, there will be a warning
Expected behavior
Importing the ext-apps wouldn't introduce unsafe-eval warnings
Additional context
It's possible this issue could be opened in typescript-sdk too, but this might be a better fit since typescript-sdk can be used client-side and need not avoid unsafe-eval warnings, whereas MCP apps are meant to run in environments with security guardrails in place.
https://github.com/modelcontextprotocol/typescript-sdk/issues?q=is%3Aissue%20state%3Aclosed%20unsafe-eval
Potential fix
AJV allows compiling a function that will validate the schema in advance, see ajv-validator/ajv#406 / https://ajv.js.org/security.html#content-security-policy
Describe the bug
This is a similar issue as #618 , except the warning is thrown from from AJV instead of Zod . It uses the
new Function()constructor which is equivalent to eval .https://github.com/ajv-validator/ajv/blob/f177fe323420ccb23e1a79445fd470cbf80aee7c/lib/compile/index.ts#L171
This throws an error when running MCP apps in MCP app hosts that implements CSP policies, including Goose
1.33.1and CursorVersion: 3.2.16 (Universal)Unfortunately unlike Zod, there isn't a runtime flag for disabling the constructor, so removing this warning log is more involved.
To Reproduce
ext-apps SDK @1.7.1, and check the developer tools, there will be a warningExpected behavior
Importing the ext-apps wouldn't introduce unsafe-eval warnings
Additional context
It's possible this issue could be opened in typescript-sdk too, but this might be a better fit since typescript-sdk can be used client-side and need not avoid unsafe-eval warnings, whereas MCP apps are meant to run in environments with security guardrails in place.
https://github.com/modelcontextprotocol/typescript-sdk/issues?q=is%3Aissue%20state%3Aclosed%20unsafe-eval
Potential fix
AJV allows compiling a function that will validate the schema in advance, see ajv-validator/ajv#406 / https://ajv.js.org/security.html#content-security-policy