Using Cesium with CSP settings

Hi all,

I recently started to check some Content-Security-Policy settings on our server and to my big surprise noticed, that I can’t use Cesium anymore. As soon as I set

Content-Security-Policy script-src 'self'

the viewport does not come up and instead the browser throws an error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'"

Adding ‘unsafe-eval’ to the settings would be possible in theory, but is basically an absolute no-go security wise.

I search a bit and found posts saying one should disable all Cesium widgets. Fine for me, as we don’t use them. However, it doesn’t solve the issue. The error still appears.

Is there any way to run Cesium is a rather secured way?

Thanks in advance,

Heiner