The linked post relies on the Datastar project, which requires use of `unsafe-eval` in one’s Content-Security-Policy [1]:
> When using a Content Security Policy (CSP), unsafe-eval must be allowed for scripts, since Datastar evaluates expressions using an IIFE (Immediately Invoked Function Expression).
The project itself links to Mozilla’s docs on CSP, which state:
> The unsafe-eval keyword can be used to override this behavior, and as with unsafe-inline, and for the same reasons: developers should avoid unsafe-eval.
Out of the box, htmx uses a similar approach, but one can disable this use of eval [2]:
htmx.config.allowEval - can be set to false to disable all features of htmx that rely on eval:
- event filters
- hx-on: attributes
- hx-vals with the js: prefix
- hx-headers with the js: prefix