Call `new Function()` which requires `unsafe-eval` in CSP rules

[robbie-c]

If you search through the dist/main.js file, you'll find new Function("return this")

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions for more about CSP. TLDR, it's blocked by anyone using CSP rules unless they include unsafe-eval

Additionally, it may trigger some warnings in the browser console and a report if they are using a tool like PostHog to track CSP violations.

I don't think your source code uses new Function("return this") at all, it's probably just how things are bundled.

[robbie-c]

I figured out that this is due to webpack injecting a helper for globalThis, I'll open a PR to fix this.