React-scripts doesn't work if using a Content Security Policy

[rbrewington]

Describe the bug

The app builds and runs fine locally, but when I deploy it the app will not load due to an EvalError.

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://stats.development.axhc.us/ https://*.typekit.net/"

It seems to trip up on this block of regenerator-runtime. Specifically the line in the catch block.

try {
  regeneratorRuntime = runtime;
} catch (accidentalStrictMode) {
  // This module should not be running in strict mode, so the above
  // assignment should always work unless something is misconfigured. Just
  // in case runtime.js accidentally runs in strict mode, we can escape
  // strict mode using a global Function call. This could conceivably fail
  // if a Content Security Policy forbids using Function, but in that case
  // the proper solution is to fix the accidental strict mode problem. If
  // you've misconfigured your bundler to force strict mode and applied a
  // CSP to forbid Function, and you're not willing to fix either of those
  // problems, please detail your unique predicament in a GitHub issue.
  Function("r", "regeneratorRuntime = r")(runtime);
}

I've found some issues in the repos for dependencies, but I haven't found a concrete answer.
[redacted]

It seems like regenerator-runtime is running in "accidental strict mode" but I'm unsure why.
Is there anything I can do?
Is this a known issue, and I should just downgrade for now? Or is my configuration wrong in some way?

Did you try recovering your dependencies?

Yes I have
yarn 1.22.10

Which terms did you search for in User Guide?

CSP
Content
Security
Runtime
Eval

Environment

Environment Info:

current version of create-react-app: 4.0.1
running from /Users/rbrewington/.npm/_npx/13542/lib/node_modules/create-react-app

System:
OS: macOS Mojave 10.14.6
CPU: (8) x64 Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz
Binaries:
Node: 14.15.1 - /usr/local/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 6.14.8 - /usr/local/bin/npm
Browsers:
Chrome: Not Found
Edge: Not Found
Firefox: Not Found
Safari: 14.0.2
npmPackages:
react: ^16.12.0 => 16.14.0
react-dom: ^16.12.0 => 16.14.0
react-scripts: 4.0.1 => 4.0.1
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

1. Have a react-app project on 3.4.0
2. Run the upgrade command for 3.4.x to 4.0.0 from the changelog instructions
3. Everything builds and runs fine
4. Deploy to a production environment w/ a CSP that blocks unsafe-eval

Expected behavior

Expected my react app not to be blocked by our CSP.

Actual behavior

App does not run at all b/c of the EvalError

Reproducible demo

Not sure how to reproduce the issue since it is only a problem if you block unsafe eval

[rbrewington]

Nevermind. Seems it's another dependency 🤦‍♀️
but if anyone has seen this before, still would love to have some advice

[testower]

@rbrewington Hi - how did you figure out which dependency caused the issue?