content-security-policy flagging globalEval

content-security-policy flagging globalEval

I'm implementing the header content-security-policy and cleaning up code as I go.

My main sticking point on the javascript side of things is that jQuery-1.11.3 violates the eval policy:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

Is there a way around this other than the unsafe 'unsafe-eval' policy? It seems to me that to go down that route negates a large part of the security this header provides.