sourced eval should not execute with policy "script-src 'self' 'unsafe-inline'".