While implementing the security advice of adding the HTTP Header Content-Security-Policy, I found out that the Mendix application can only function properly when it has the flags 'unsafe-inline' 'unsafe-eval' for script source configured.
Then we make all Mendix applications a bit more safe!
Some background info:
Configuring the CSP HTTP Header in a Mx Cloud v4 environment:
Without the ‘unsafe-inline’ flag, you would get an error like below, because the dojoConfig variable is configured by default in an inline <script> snippet on your index HTML page.
Without the ‘unsafe-eval’ flag, you would get an error like below, because the eval() function is used frequently in the mxclientsystem/mxui.js