Content Security Policy and an 'unsafe-eval' Error

[gabrielwolf]

Thank you for your amazing work!

If I open the examples on a simple local python http dev server, everything works as expected.

But when I upload the repo examples to my server I get the following error:

Chrome 84:

foa-renderer.html:123 EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

    at new Function (<anonymous>)
    at new O (omnitone.min.js:17)
    at z._initializeCallback (omnitone.min.js:17)
    at new Promise (<anonymous>)
    at z.initialize (omnitone.min.js:17)
    at onLoad (foa-renderer.html:116)

Firefox 78.0.2:

EvalError: call to Function() blocked by CSP
    O https://players.aplattform.net/build/omnitone.min.js:17
    _initializeCallback https://players.aplattform.net/build/omnitone.min.js:17
    initialize https://players.aplattform.net/build/omnitone.min.js:17
    onLoad https://players.aplattform.net/foa-renderer.html:116
foa-renderer.html:123:17
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf eval blockiert ("default-src").

If I disable the header line in nginx add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; the error disappears. This is a security concern, I think.

Can you confirm?