Review the work needed to remove `unsafe-eval` in the CSP
We currently have unsafe-eval
in the CSP https://gitlab.com/gitlab-org/gitlab/-/blob/f02a6282f1b3b4784aa80964d6bf0a07b44f3e3f/lib/gitlab/content_security_policy/directives.rb#L19
Simply removing it causes a number of issues #425920 (comment 1587454265)
We should investigate to see how much work is needed to fix those compared to the gain in security.
This isn't a vulnerability in itself and it requires the presence of a very specific type of XSS that sinks into an eval
which, as far as I'm aware, isn't an issue we've ever had here out of all our previous XSS. Not saying it can't ever happen, but we have other areas where we can have more impact.
Edited by Dominic Couture