Hi Folks,

We have been using ExtJS for our web application.In order to find security vulnerabilities in our application, we run various security scanners to be clean. On the suggestion of the Acunetix Web Application scanner, we have introduced the Content-Security-Policy header to our Nginx web server and post this, the Sencha Application fails to boot up with the below error -

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

at new Function (<anonymous>)
at Object.init
at Ext.Boot.

We run this in production mode and have a minified app.js which is loaded by the microloader.

Any suggestions on how to proceed further would be of great help. Is there an alternative to use for Eval