FEATURE: Add hidden setting to allow `unsafe-eval` in CSP

This new setting defaults to `true` for now, until we make sure that all official plugins and theme components work without `unsafe-eval` in the CSP.

config/site_settings.yml

@@ -1389,6 +1389,9 @@ security:
   content_security_policy_script_src:
     type: list
     default: ""
+  content_security_policy_allow_unsafe_eval:
+    default: true
+    hidden: true
   invalidate_inactive_admin_email_after_days:
     default: 365
     min: 0

lib/content_security_policy/default.rb

@@ -45,13 +45,13 @@ class ContentSecurityPolicy
 
     def script_src
       [
-        :unsafe_eval,
         :report_sample,
         "#{base_url}/logs/",
         "#{base_url}/sidekiq/",
         "#{base_url}/mini-profiler-resources/",
         *script_assets
       ].tap do |sources|
+        sources << :unsafe_eval if SiteSetting.content_security_policy_allow_unsafe_eval
         sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
         sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
       end