Workaround for unsafe-eval not being in CSP Chrome?

[perpil]

I have a script that uses eval by creating a new Function with user provided input. I discovered it recently stopped working in Chrome, but still works in Firefox with TamperMonkey 5.0.1. Whenever I try to eval something I get this error:

Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src github.githubassets.com".

This could be for 3 reasons

1. Chrome started enforcing it
2. Github modified their CSP to remove unsafe-eval
3. TamperMonkey changed something

I've tried a few things, but the only thing that worked was to use the Disable Content-Security-Policy extension which is less than ideal.

Before I explore running my JavaScript on a server or some other workaround, could this be related to the changes made to support MV3? If so is there any way I can run eval on a page that doesn't have unsafe-eval in the CSP. Do I need to do some sort of weird iframe trick like this? https://medium.com/geekculture/how-to-use-eval-in-a-v3-chrome-extension-f21ca8c2160c

Expected Behavior

It is possible to execute a function with user provided content

Actual Behavior

Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src github.githubassets.com".

Specifications

• Chromium: 121.0.6167.85
• TM: (i.e. 5.0.1)
• OS: (i.e. MacOS 14.2.1)

Script

// ==UserScript==
// @name         Github CSP test
// @namespace    http://tampermonkey.net/
// @version      1.00
// @description  Test eval on github
// @sandbox      JavaScript
// @author       You
// @match        https://github.com/*
// @icon         https://www.google.com/s2/favicons?sz=64&domain=github.com
// ==/UserScript==

(function() {
    new Function('console.log("hello world")')();
})();

Go to any github page and look in the console to see the output.

[perpil]

I had tried setting "Modify existing content security policy (CSP) headers" to "Yes", but didn't realize there was a "Save" button. Setting it to "Yes" and clicking "Save" fixed the issue.

[derjanb]

Another options would be GM_addElement -> #881 (comment)

[perpil]

Thanks! I'll give that a shot. It seems like a much better solution than having my users change TamperMonkey configuration.

[perpil]

I tried this as an experiment:

GM_addElement('script', {
            textContent: `window.testEval = new Function('return false');`
        });

But got:

Uncaught EvalError: call to Function() blocked by CSP
    <anonymous> https://github.com/No-Backspace-Crew/Speedrun:2

Are you talking about using GM_addElement with a script or iframe? I had some success adding an iframe that loaded content with an eval in it and then sending messages to it.