CSP

[karak]

We must avoid raw eval() for CSP(Content Security Policy) as warned by Rollup.

Now, we could have safeEval, if it can simply alternate our eval() -- scripts in tags are user-defined -- and is available on browsers in UMD modules.

[karak]

Solve that warning is easy and quick. We can replace those points of execution by IIFE module.

[karak]

As for CSP, Riot itself implements its own safeEval on esprima with hoister. I guess they seek smaller size why not using notEvil constructed by the same stack.

[karak]

I'll close this issue because I suspect many Chrome Extensions uses raw browsers including Karma, or Node.js like sinon-chrome.

Testing frameworks needn't support CSP like riot itself.