Review the work needed to remove unsafe-eval in the CSP
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
We currently have unsafe-eval in the CSP https://gitlab.com/gitlab-org/gitlab/-/blob/f02a6282f1b3b4784aa80964d6bf0a07b44f3e3f/lib/gitlab/content_security_policy/directives.rb#L19
Simply removing it causes a number of issues #425920 (comment 1587454265)
We should investigate to see how much work is needed to fix those compared to the gain in security.
This isn't a vulnerability in itself and it requires the presence of a very specific type of XSS that sinks into an eval which, as far as I'm aware, isn't an issue we've ever had here out of all our previous XSS. Not saying it can't ever happen, but we have other areas where we can have more impact.