Crate not working with Content Security Policy

[mateesville93]

Hi, I'm trying to add crate to my site and CSP is blocking the script because it uses eval()
It will be nice if you can remove eval() from the script.

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive

eval() - JavaScript MDN

[Yomanz]

You should be able to use no-eval in the crate script tag.

Open the issue again if that doesn't fix it.

[CxRes]

I am still having CSP issue with the introduction of a style tag.

crate.js:formatted:13642 
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

Can you please suggest a way to avoid this (other than unsafe-inline). Or do you need to refactor code or introduce a new CSP policy?