security headers - remove `unsafe-eval` from content security policy
-
identify content which triggers the need for unsafe-evalscripts -
file issues to have that scripts content updated to be "safe" -
remove CSP header designation unsafe-evalfrom WWW front end such as HAProxy
re:
Content-Security-Policy object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://gl-static.global.ssl.fastly.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline' https://gl-static.global.ssl.fastly.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/; frame-ancestors 'self'; connect-src 'self' https://gl-static.global.ssl.fastly.net wss://gitlab.com https://sentry.gitlap.com https://customers.gitlab.com; report-uri https://sentry-infra.gitlap.com/api/3/csp-report/?sentry_key=a664fdde83424b43a991f25fa7c78987
which was retrieved 2017-10-12 from https://gitlab.com/dashboard