Avoid using unsafe eval Javascript
There are several ocurences of {{setTimeout('ping();',pingInterval)}} in the portal.
This prevent using a secure Content Security Policy; See 'unsafe-eval' in https://www.html5rocks.com/en/tutorials/security/content-security-policy/ or other sources.
Please replace them by {{setTimeout(ping,pingInterval)}}.
NB: My current policy is (I plan to use frame-ancestors too):
Content-Security-Policy-Report-Only \"default-src 'none'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection "1; mode=block"