Yeah, eval is the main culprit, but there's also Function, setTimeout, setInterval and friends.[0]
The other gotcha is that with a secure CSP policy, you can no longer do things like <button onclick="handleClick"> because that's inline JS, so that's kind of a bummer.
>so few JavaScript libraries are compatible with it.
is this because of the 'eval' function specifically, or is there other reasons?