Map server does not work with clients that correctly enforce CSP

[connor4312]

Describe the bug

1. Try to use the map server on an app that correctly enforces the spec's CSP
2. You get an error, "Evaluating a string as JavaScript violates the following Content Security Policy directive because 'unsafe-eval' is not an allowed source of script: script-src 'self' 'unsafe-inline' https://.openstreetmap.org https://cesium.com https://.cesium.com"."

To Reproduce

See above

Expected behavior

It should work

Logs
If applicable, add logs to help explain your problem.

Additional context

Basically the same as #199

Per spec, unsafe-eval should not be allowed https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/2026-01-26/apps.mdx#4-content-security-policy-enforcement

[matipojo]

Seems the issue is with Zod v4 (colinhacks/zod#4461)

If possible, try configuring Zod before importing the MCP SDK:

import { z } from 'zod/v4';

z.config({ jitless: true });

// import MCP SDK here...

[ochafik]

Fixed in v1.7.0 — App now sets z.config({jitless: true}) by default so Views run under strict CSP without unsafe-eval (#618). Opt out with new App(..., {allowUnsafeEval: true}) if you need the faster JIT path.

[hydrosquall]

Related CSP unsafe-eval error coming from a different ext-apps dependency

#652