[CSP] global.js trying to use eval

[miketaylr]

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

I guess we have a global.js in our webpack bundle:

var g;

// This works in non-strict mode
g = (function() {
	return this;
})();

try {
	// This works if eval is allowed (see CSP)
	g = g || new Function("return this")();
} catch (e) {
	// This works if the window reference is available
	if (typeof window === "object") g = window;
}

// g can still be undefined, but nothing to do about it...
// We return undefined, instead of nothing here, so it's
// easier to handle this case. if(!global) { ...}

module.exports = g;

[miketaylr]

This doesn't seem that important, because it's inside a try/catch, but perhaps something to look into so our CSP logs don't get too annoying.

[miketaylr]

We could probably fix this by giving the script a nonce, https://webpack.js.org/guides/csp/ -- but that will require python generating parts of the JS (it needs to be a unique nonce per-pageload). We haven't done that yet, but it doesn't sound impossibly hard.