I'm implementing the header content-security-policy
and cleaning up code as I go.
My main sticking point on the javascript side of things is that jQuery-1.11.3 violates the eval policy:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'
Is there a way around this other than the unsafe 'unsafe-eval'
policy? It seems to me that to go down that route negates a large part of the security this header provides.