We have unsafe-eval enable for CSP rules because of JointJS. We even talked about removing the diagram support in order to get the app in a security state without trying to figure out how to handle it properly in JointJS https://github.com/sqlectron/sqlectron-gui/pull/638. But I thought better about it and the diagram is a quite nice feature, although I never use it, so it would be better instead ignore the CSP warning for now and change the diagram implementation later to properly handle the security issue.
I think unsafe-eval is required because the diagram shapes are built using a template approach. I tested building a simple shape using the standard way and it worked without usafe-eval enabled.
Here are some references for when we get more time to work on this:
We have unsafe-eval enable for CSP rules because of JointJS. We even talked about removing the diagram support in order to get the app in a security state without trying to figure out how to handle it properly in JointJS https://github.com/sqlectron/sqlectron-gui/pull/638. But I thought better about it and the diagram is a quite nice feature, although I never use it, so it would be better instead ignore the CSP warning for now and change the diagram implementation later to properly handle the security issue.
I think unsafe-eval is required because the diagram shapes are built using a template approach. I tested building a simple shape using the standard way and it worked without usafe-eval enabled.
Here are some references for when we get more time to work on this: