Oh bummer, yeah we need to yank the handlebars templates out before we can remove the unsafe-eval bit. Should aim to do that for sure.

Yeah :/

I wonder if we can do this:

<script type="text/x-handlebars" data-template-name="application" src="/path/to/.hbs>

With unsafe-eval switched on, a lot of the benefits of CSP are lost.

Does that work? Won't Handlebars still eval the response?

I guess we need to precompile them? Will that work?

I know that's possible if we were using requirejs, and if we ran the require optimizer. However, that's only practical in a "production" scenario, don't want that in dev. We could also do some sort of fancy precompilation on the server, but that means porting the Handlebars parser to go :P