When building the CommonJS dist, rollup automatically adds the use strict directive at the beginning of the generated index.js.
Not only this is not needed when CommonJS is exported with modules (see here), but it also breaks JS when Content-Security-Policies is enabled.
Error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ...
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'...
// This module should not be running in strict mode, so the above
// assignment should always work unless something is misconfigured. Just
// in case runtime.js accidentally runs in strict mode, we can escape
// strict mode using a global Function call. This could conceivably fail
// if a Content Security Policy forbids using Function, but in that case
// the proper solution is to fix the accidental strict mode problem. If
// you've misconfigured your bundler to force strict mode and applied a
// CSP to forbid Function, and you're not willing to fix either of those
// problems, please detail your unique predicament in a GitHub issue.
Solution
Change rollup to remove the strict directive.
When building the CommonJS dist,
rollupautomatically adds theuse strictdirective at the beginning of the generatedindex.js. Not only this is not needed when CommonJS is exported with modules (see here), but it also breaks JS whenContent-Security-Policiesis enabled.Error:
See explanation here
Solution Change
rollupto remove thestrictdirective.