Function() constructor should not execute with policy "script-src 'self' 'unsafe-inline'".