Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' img-src * 'unsafe-inline'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.