re-add unsafe-eval and unsafe-inline based on @wagnerand request.

src/const.js

@@ -168,7 +168,8 @@ export const TEMPORARY_APIS = [
 // `script-src`. Used in manifest.json parser for validation.
 // See https://mzl.la/2vwqbGU for more details and allowed options.
 export const CSP_KEYWORD_RE = new RegExp([
-  '(self|none|strict-dynamic|unsafe-hashed-attributes)',
+  '(self|none|unsafe-inline|unsafe-eval|strict-dynamic|',
+  'unsafe-hashed-attributes)',
   // Only match these keywords, anything else is forbidden
   '(?!.)',
   '|(sha(256|384|512)-|nonce-)',

tests/parsers/test.manifestjson.js

@@ -387,10 +387,6 @@ describe('ManifestJSONParser', function() {
 
         // Properly match mixed with other directives
         "script-src https: 'unsafe-eval'; object-src 'self'",
-
-        // unsafe-eval and unsafe-inline are forbidden too.
-        "script-src 'self' 'unsafe-eval';",
-        "script-src 'self' 'unsafe-inline';",
       ];
 
       for (const invalidValue of invalidValues) {
@@ -421,6 +417,11 @@ describe('ManifestJSONParser', function() {
 
         // We only walk through default-src and script-src
         'style-src http://by.cdn.com/',
+
+        // unsafe-eval and unsafe-inline are not forbidden yet and
+        // should be reviewed by a human.
+        "script-src 'self' 'unsafe-eval';",
+        "script-src 'self' 'unsafe-inline';",
       ];
 
       for (const validValue of validValues) {