docs: Add Content Security Policy requirements for Web SDK

client-sdks/reference/javascript-web.mdx

@@ -187,7 +187,7 @@
 Accordingly, the connector must implement two methods:
 
 1. [PowerSyncBackendConnector.fetchCredentials](https://github.com/powersync-ja/powersync-js/blob/ed5bb49b5a1dc579050304fab847feb8d09b45c7/packages/common/src/client/connection/PowerSyncBackendConnector.ts#L16) - This method will be automatically invoked by the PowerSync Client SDK every couple of minutes to obtain authentication credentials. See [Authentication Setup](/configuration/auth/overview) for instructions on how the credentials should be generated.
 2. [PowerSyncBackendConnector.uploadData](https://github.com/powersync-ja/powersync-js/blob/ed5bb49b5a1dc579050304fab847feb8d09b45c7/packages/common/src/client/connection/PowerSyncBackendConnector.ts#L24) - This method will be automatically invoked by the PowerSync Client SDK whenever it needs to upload client-side writes to your app backend via your backend API. Therefore, in your implememtation, you need to define how your backend API is called. See [Writing Client Changes](/handling-writes/writing-client-changes) for considerations on the app backend implementation.
 
 **Example**:
 
@@ -351,6 +351,35 @@
 
 ## Developer Notes
 
+### Content Security Policy (CSP)
+
+<Warning>
+**Required for Production:** Your Content Security Policy `script-src` directive must include `'wasm-unsafe-eval'` for PowerSync to work, particularly in Safari.
+</Warning>
+
+PowerSync Web SDK requires the `wasm-unsafe-eval` directive in your Content Security Policy headers to function correctly.
+
+**Why it's required:**
+
+PowerSync uses [wa-sqlite](https://www.npmjs.com/package/@journeyapps/wa-sqlite), which requires WebAssembly compilation at runtime to bind JavaScript functions to SQLite internals. Without `wasm-unsafe-eval`, browsers will block WebAssembly module instantiation, preventing PowerSync from functioning.
+
+**Proper CSP configuration:**
+
+```
+Content-Security-Policy: script-src 'self' 'wasm-unsafe-eval';
+```
+
+**Security considerations:**
+
+- `wasm-unsafe-eval` only permits WebAssembly compilation (NOT JavaScript `eval()`)
+- This is more secure than `unsafe-eval`, which permits both WASM and JavaScript eval
+- It's the industry-standard directive for WASM-based applications
+- WebAssembly has strong security boundaries and memory isolation
+
+<Note>
+Safari's strict CSP enforcement will block PowerSync functionality if this directive is missing. Modern browsers (Safari 15.2+, Chrome 95+, Firefox 102+) all support `wasm-unsafe-eval`.
+</Note>
+
 ### Connection Methods
 
 This SDK supports two methods for streaming sync commands: