Make Logseq unsafe-eval free by replacing PIXI.js

Dear Logseq community,

Logseq has this great feature of exporting the knowledge base to a website via Export graph > Export public pages. In terms of server security, this comes with two challenges around content security policies. For my examples, I use NGINX configs.

  1. The node graph shows up only when allowing script-src 'unsafe-inline'. This is necessary because of PIXI.js. I’m curious why PIXI.js was chosen here and whether it could be replaced with a library such as D3.js which might be able to handle this without unsafe-eval.
  2. In order for any notes to show up, script-src 'unsafe-inline'; and style-src 'unsafe-inline'; are necessary. It would also be nice to fix this.

Strict content security policies prevent cross-site-scripting attacks. Logseq on the server doesn’t allow for these policies to be in place, without loosing features or being unusable.