fix(CSP): unsafe-eval in default-src

website/server/middlewares/index.js

@@ -69,6 +69,7 @@ export default function attachMiddlewares (app, server) {
     contentSecurityPolicy: {
       directives: {
         defaultSrc: [
+          '\'unsafe-eval\'',
           '*.amazonaws.com',
           '*.habitica.com',
           'cloudfront.loggly.com',
@@ -77,9 +78,6 @@ export default function attachMiddlewares (app, server) {
           'static-na.payments-amazon.com',
         ],
         imgSrc: '*',
-        scriptSrc: [
-          '\'unsafe-eval\'',
-        ],
         upgradeInsecureRequests: IS_PROD ? [] : null,
       },
     },