checking csp for eval only

metager/resources/js/verify.js

@@ -3,6 +3,8 @@ require('fetch-ie8');
 
 // Find the key id for the browser-verification
 document.querySelectorAll("link").forEach(element => {
+    // Should get blocked by csp
+    eval("window.sp = 1;");
     let href = element.href;
     let matches = href.match(/http[s]{0,1}:\/\/[^\/]+\/index\.css\?id=(.+)/i);
     if (!matches) {

metager/resources/views/layouts/resultpage/verificationHeader.blade.php

@@ -2,8 +2,5 @@
 <html lang="{!! trans('staticPages.meta.language') !!}">
 <head>
     <meta charset="UTF-8">
-    <script>
-        window.sp = 1;
-    </script>
     <link rel="stylesheet" href="/index.css?id={{ $key }}">
     <script src="{{ mix('js/index.js') }}"></script>
\ No newline at end of file