fix: remove legacy CSP eval allowance

vitormattos · vitormattos · commit df7ed74a6313 · 2026-04-20T10:34:11.000-03:00
Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
@@ -120,7 +120,6 @@ public function index(): TemplateResponse {
 		$response = new TemplateResponse(Application::APP_ID, 'main');
 
 		$policy = new ContentSecurityPolicy();
-		$policy->allowEvalScript(true);
 		$policy->addAllowedFrameDomain('\'self\'');
 		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
@@ -387,7 +386,6 @@ public function sign(string $uuid): TemplateResponse {
 		$response = new TemplateResponse(Application::APP_ID, 'external', [], TemplateResponse::RENDER_AS_BASE);
 
 		$policy = new ContentSecurityPolicy();
-		$policy->allowEvalScript(true);
 		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
 
diff --git a/lib/Middleware/InjectionMiddleware.php b/lib/Middleware/InjectionMiddleware.php
@@ -326,7 +326,6 @@ public function afterException($controller, $methodName, \Exception $exception):
 			);
 
 			$policy = new ContentSecurityPolicy();
-			$policy->allowEvalScript(true);
 			$policy->addAllowedFrameDomain('\'self\'');
 			$response->setContentSecurityPolicy($policy);
 			return $response;
