Title: CSP script-src unsafe-eval should be removed from headers
- What is your original issue/pain point you want to solve? Our security team pointed out that this CSP configuration is present in the HTTP headers, and it is detected as a possible security risk from many security scan softwares
- Which are one or two concrete situations where this problem hurts the most? The internal security team is bugging us periodically whenever a new security scan looks at our zammad instance
- Why is it not solvable with the Zammad standard? The header is needed for correct operation of zammad UI, and cannot be removed without impacts on the software
- What is your expectation/what do you want to achieve? Rework the UI code in order to not need eval() and remove the allow-unsafe CSP