Add unsafe-eval to default CSP since many frameworks run faster with it on
diff --git a/www/index.html b/www/index.html
index 10dbeb6..646f9cb 100644
--- a/www/index.html
+++ b/www/index.html
@@ -25,11 +25,10 @@
Some notes:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
- * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
+ * Disables use of inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
- * Enable eval(): add 'unsafe-eval' to default-src
-->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta name="format-detection" content="telephone=no">
<meta name="msapplication-tap-highlight" content="no">
<meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">
