Allow unsafe-eval
When I use the Preview button within Web Experimentation, I see the following error in my developer console:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive
When I reached out to Optimizely support, they confirmed that this is a known issue; Preview Mode uses the eval() function which is only possible if your CSP allows unsafe-eval.
As allowing unsafe-eval is not recommended due to the security risks and would essentially nullify the protections we gain from CSP, we are unable to use Web Experimentation.
I encourage Optimizely to support keeping unsafe-eval out of our CSP while keeping all Web Experimentation functionality.
