Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
CSP provides additional level of security, but doesn't guarantee full security against these types of attacks.

VMware vRealize Operations 8.6.x
VMware vRealize Operations 8.10.x
VMware Aria Operations 8.12.x

Best coding practices suggest configuring the CSP header without using unsafe-inline and unsafe-eval keywords.
In VMware Aria Operations, keywords are included due to the use of a javascript framework called ExtJs, which requires keywords.

Starting from VMware Aria Operations 8.12.0, we have removed all usages of javascript eval functions, and left only the few that are used inside framework code and cannot be removed.
Parallelly we have made our code writing principles stricter to decrease any inline script and inline CSS occurrences count in our codebase, and ideally having 0 of them where possible.

In VMware Aria Operations, continuous scanning and testing is run against different types of attacks to ensure we find and fix any issues with the highest priority.