unsafe-eval is required in content-security-policy
The current implementation of the angular / HTML5 report viewer requires a script-src 'unsafe-eval' in a content-security-policy. This is quite unfortunate in terms of security considerations. Please remove this requirement.