Open
Description
Our Content Security Policy includes the following:
script-src 'self' 'unsafe-eval'...
We have to use unsafe-eval because Alpine requires it.
unsafe-eval "Allows the use of eval() and similar methods for creating code from strings."
See: alpinejs/alpine#237
This may change in a future release, or be mitigated by Alpine. I don't think, for our purposes, this means we should not use Alpine, but we should consider implications and watch for Alpine's improvements.