relax CSP in chrome extensiont to allow web worker use eval

.github/workflows/release.yml

@@ -68,6 +68,7 @@ jobs:
           # macOS notarization API key
           API_KEY_ID: ${{ secrets.apple_api_key_id }}
           API_KEY_ISSUER_ID: ${{ secrets.apple_api_key_issuer_id }}
+          APPLETEAMID: ${{ secrets.apple_team_id }}
           SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
 
       # chocolatey

DEV.md

@@ -102,3 +102,6 @@ If using Cloudflare DNS, you need to setup full SSL mode instead of flexible mod
 - Product should have recurring pricing
 
 <!-- background:linear-gradient(135deg,#00F5A0 0%,#00D9F5 100%); -->
+
+### Signing MacOS app
+https://www.codiga.io/blog/notarize-sign-electron-app/

cwex.yml

@@ -24,7 +24,8 @@ manifestOptions:
     - tabs
     - storage
     - notifications
-  content_security_policy: "script-src 'self' 'sha256-765ndVO8s0mJNdlCDVQJVuWyBpugFWusu1COU8BNbI8=' 'sha256-kFTKSG2YSVB69S6DWzferO6LmwbqfHmYBTqvVbPEp4I=' https://cdn.jsdelivr.net https://apis.google.com https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com localhost:* http://localhost:8002 http://localhost:8080; object-src 'self';"
+  # this CSP has been modified to allow unsafe-inline and unsafe-eval but the CSP in the index.html remains strict. This allows the web worker to have the less strict CSP.
+  content_security_policy: "script-src 'self' 'sha256-765ndVO8s0mJNdlCDVQJVuWyBpugFWusu1COU8BNbI8=' 'sha256-kFTKSG2YSVB69S6DWzferO6LmwbqfHmYBTqvVbPEp4I=' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://apis.google.com https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com localhost:* http://localhost:8002 http://localhost:8080; object-src 'self';"
   background:
     scripts:
       - js/background.js