CSP's Unsafe-line and Unsafe-eval in Grafana 9 with AngularJS disabled

So I was reading that in Grafana 9 there is an option to disable Angular support which has some of the security violations including requiring the unsafe-eval in the CSP due to its reliance on eval() function.

I want to have secure CSP policies so I tested it out by setting CSP without the unsafe-eval AND unsafe-inline but it still has issues opening the login page due to the absence of unsafe-inline in the CSP values so I was curious is “unsafe-inline” still required for Grafana or is that a bug?

By the way, I did test it without the unsafe-eval and as expected, it worked but it seems the policy “unsafe-inline” is still required in the CSP for Grafana login to open up.

For example, in the older Grafana versions, these were an absolute must:

script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';

and in Grafana 9 with the Angular disabled, only the unsafe-eval can be removed:

script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';

Can someone please confirm what is expected here?

@torkel Tagging you here as I saw you added the feature to disable AngularJS.