Cap.js requires script-src 'unsafe-eval' to be set

SaladCesar · June 13, 2026, 11:01pm

Hi,

I gave a try to cap.js for self hosted alternative to turnstile. (This is a great idea to integrate into BW by the way, thanks!)

It seems like Bunkerweb implementation of it can be improved. Currently I needed to set
CONTENT_SECURITY_POLICY: "object-src 'none'; form-action 'self'; frame-ancestors 'self'; script-src 'unsafe-eval';"

If not, cap.js stops at 99% with error
Content-Security-Policy: The page's settings blocked the execution of an inline script because it violates the following directive: script-src 'nonce-xxx' ``https://cap.example.com`` 'wasm-unsafe-eval' ('unsafe-eval' is missing)

As I am not familiar with what should be fixed exactly, here is the answer from Claude:

The Cap widget dynamically injects scripts at runtime (for the pako decompression fallback and the instrumentation challenge iframe). Because these scripts are injected dynamically by the widget, they need either 'unsafe-eval' or a valid nonce in the script-src CSP directive to be allowed by the browser.

Currently, BunkerWeb’s generated challenge page sets a script-src CSP that includes a nonce (e.g. 'nonce-xxxx'), https://cap.example.com, and 'wasm-unsafe-eval' — but does not include 'unsafe-eval'. This causes the Cap widget to fail at 99% with the following browser error:

Content-Security-Policy: The page's settings blocked the execution of an inline script 
because it violates the following directive: script-src 'nonce-xxx' https://cap.example.com 
'wasm-unsafe-eval' ('unsafe-eval' is missing)

The clean fix Cap.js provides

The Cap widget natively supports window.CAP_SCRIPT_NONCE — when set, it stamps that nonce onto all scripts the widget injects dynamically, making them trusted under the existing nonce-based CSP without needing 'unsafe-eval' at all. See: https://trycap.dev/guide/widget

What BunkerWeb needs to add

In the Cap.js challenge page template, before the widget is initialized, add:

html

<script nonce="$SCRIPT_NONCE">
  window.CAP_SCRIPT_NONCE = '$SCRIPT_NONCE';
</script>

Where $SCRIPT_NONCE is the same nonce BunkerWeb already generates and uses for its own scripts on the challenge page. This would make the Cap.js integration work correctly with strict CSP, without requiring the security-weakening 'unsafe-eval' directive.

Hope this is helpful enough.

Wishing you a good day!

AlexanderOrlovsky · June 14, 2026, 10:46pm

Integration means more code to maintain, you know bunkerweb have plugins, i think thats better direction. If you can try to write a plugin and the commit , me personally happy with what Bunkerweb does.

SaladCesar · June 15, 2026, 1:36pm

Hello Alexander,

I think there is a misunderstanding. Cap.js already integrated into Bunkerweb as an Antibot mechanism. I gave it a try because it is explained in the documentation already. I am not asking for a new integration, I am signaling that there is a bug with the already existing integration.

theophile_bunkerity · June 19, 2026, 8:51am

Hi, we discussed about it on discord and a fix is on the way for the 1.6.12~rc3 release!