Default configuration makes dashboard unusable #71
Description
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
That's with the conf from this repo and no other changes, on a fresh install of Matomo :)
A CSP is required in some of the blocks:
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; base-uri 'self'; frame-src 'self'; object-src 'self'";Another issue I see is that manifest.json is also 403'd by default with the configuration in this repo.