In an earlier post I asked Do I need 'unsafe-eval' in the CSP Header for Google Analytics?. The answer is no but I might need it for angular.js:

FROM ngCsp angular documentation:


You can specify which of the CSP related AngularJS features should be deactivated by providing a value for the ng-csp attribute. The options are as follows:

  • no-inline-style: this stops AngularJS from injecting CSS styles into the DOM
  • no-unsafe-eval: this stops AngularJS from optimizing $parse with unsafe eval of strings