Insecure "unsafe-eval" directive used in browser header for riskminder-client.js The is a client side issue if the riskminder-client.js uses eval() and Function(). The hotfix to address this issue exists and can be requested via a Broadcom support case. Refer to https://stackoverflow.com/questions/37155270/content-security-policy-csp-safe-usage-of-unsafe-eval. Essentially, usage of eval function and Function function is unsafe. Such functions in any application allow any user to execute arbitrary code.
Release : 9.1.x
Risk Authentication
'unsafe-eval' directive when used allows the application to use the eval() and Function() JavaScript function. This directive leads to reduced protection for riskminder-client.js against certain types of DOM-based XSS attacks.
Our recommendation is to use the latest version of riskminder-client.js from 9.1 SP4 client package (AdvancedAuthenticationClientPackage-9.1.04.zip -> ca-devicedna-javascript-client-2.2.zip) to achieve a safer CSP (Content Safe Policy).
From product, we are not supporting CSP in AFM jsp pages.