Hi,
Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:
Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):
This CSP header entry should not be a serious issue though since @LukasReschke made some changes:
This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874
(Source: Get rid of all unsafe-eval Javascripts · Issue #1185 · nextcloud/server · GitHub)
As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed)
But I’m with you; I’m also hoping it is done soon