From 5c3f994c80e1a855c8d47bbe7e9e486e120a611f Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Fri, 24 Jan 2020 13:18:03 -0500
Subject: [PATCH] DEV: For now, re-enable unsafe-eval in development mode

This allows us to use `sourceURL` which otherwise does not work. In the
future we hope to have proper source maps in development mode and
disable this again.
---
 lib/content_security_policy/default.rb | 1 +
 lib/source_url.rb                      | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index 7a6f1d24a5f..2526fc3c8d3 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -51,6 +51,7 @@ class ContentSecurityPolicy
         "#{base_url}/mini-profiler-resources/",
         *script_assets
       ].tap do |sources|
+        sources << :unsafe_eval if Rails.env.development? # TODO remove this once we have proper source maps in dev
         sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
         sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
       end
diff --git a/lib/source_url.rb b/lib/source_url.rb
index d7aa2bbb2ed..38078255f71 100644
--- a/lib/source_url.rb
+++ b/lib/source_url.rb
@@ -16,6 +16,9 @@ class SourceURL < Tilt::Template
   end
 
   def evaluate(scope, locals, &block)
-    "#{data.rstrip} //# sourceURL=#{scope.logical_path}\n\n"
+    code = +"eval("
+    code << data.inspect
+    code << " + \"\\n//# sourceURL=#{scope.logical_path}\""
+    code << ");\n"
   end
 end