Google Tag Manager console error after removing unsafe-eval from CSP header

Question

We need to remove unsafe-eval from the Content Security Policy header in our application for security reasons. But after removing it, we get a console error saying

call to eval() or related function blocked by CSP

We have added "https://www.googletagmanager.com" domain to the script-src as well, but still it prompts the error.

Is there a way only to allow unsafe-eval for Google tag manager domain? Or will there be any other alternative?

Sample Analytic code snippet is below that we use in our script

(function (w, d, s, l, i) {
    w[l] = w[l] || []; w[l].push({
        'gtm.start':
            new Date().getTime(), event: 'gtm.js'
    }); var f = d.getElementsByTagName(s)[0],
            j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src =
                '//www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-123456');

Answer 1

According to this Lunametrics article GTM uses eval for custom javascript variables:

[...] your scripts may execute a little more slowly as a result, since there will now be an additional eval() for the Custom JavaScript Variable that you are passing your arguments to

In fact when I add a custom JS variable to a container that did not have any before the following piece of code is added to the gtm.js file:

// Copyright 2012 Google Inc. All rights reserved.
// Container Version: QUICK_PREVIEW
(function(w,g){w[g]=w[g]||{};w[g].e=function(s){return eval(s);};})(window,'google_tag_manager');(function(){

var __c;__c=function(a){return a["39"]};__c.a="c";__c.b=["google"];__c.isVendorTemplate=!0;

(Notice the use of eval in the first line after the comment).

So I suspect that removing unsafe-eval might work if you can do without custom javascript variables.