Need to add 'unsafe-eval' in Content Security Policy for both handlebars and jade templates

[hemanth-r]

Hi.
I am trying to add Content Security Policy for my site which uses OC.
But I am forced to add 'unsafe eval' to default-src directive of CSP HTTP header since OC client calls html() method of jQuery which internally uses eval().
I tried with both handlebars and jade templates. OC calls jQuery's html() method for jade template as well.
Is there any way I can get rid of allowing 'unsafe-eval' in the CSP header?

This issue can be reproduced with the following jade template example.
https://github.com/opencomponents/oc-components-examples/tree/master/jade-hello

To reproduce the issue, just add the following jade code in the file template.jade.
.script
console.log('test');