DEV: For now, re-enable unsafe-eval in development mode

This allows us to use `sourceURL` which otherwise does not work. In the
future we hope to have proper source maps in development mode and
disable this again.

lib/content_security_policy/default.rb

@@ -51,6 +51,7 @@ class ContentSecurityPolicy
         "#{base_url}/mini-profiler-resources/",
         *script_assets
       ].tap do |sources|
+        sources << :unsafe_eval if Rails.env.development? # TODO remove this once we have proper source maps in dev
         sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
         sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
       end

lib/source_url.rb

@@ -16,6 +16,9 @@ class SourceURL < Tilt::Template
   end
 
   def evaluate(scope, locals, &block)
-    "#{data.rstrip} //# sourceURL=#{scope.logical_path}\n\n"
+    code = +"eval("
+    code << data.inspect
+    code << " + \"\\n//# sourceURL=#{scope.logical_path}\""
+    code << ");\n"
   end
 end