Currently the evaluator believes that a bypass via www.googletagmanager.com requires unsafe-eval.
However, this endpoint hosts AngularJS: https://www.googletagmanager.com/debug/badge
Also, this endpoint returns JSONP: https://www.googletagmanager.com/debug/api/vtinfo?gtm_auth=xFSd[...]&env_id=env-3&public_id=GTM-[GTMID_HERE]&templates=&callback=element.click
Therefore, actually unsafe-eval is not needed.
Since Google Tag Manager is a very popular tool, I think it would be better if this bypass was detected.
Currently the evaluator believes that a bypass via www.googletagmanager.com requires
unsafe-eval.However, this endpoint hosts AngularJS: https://www.googletagmanager.com/debug/badge
Also, this endpoint returns JSONP: https://www.googletagmanager.com/debug/api/vtinfo?gtm_auth=xFSd[...]&env_id=env-3&public_id=GTM-[GTMID_HERE]&templates=&callback=element.click
Therefore, actually
unsafe-evalis not needed.Since Google Tag Manager is a very popular tool, I think it would be better if this bypass was detected.