Yeah, eval is the main culprit, but there's also Function, setTimeout, setInterval and friends.[0]

The other gotcha is that with a secure CSP policy, you can no longer do things like <button onclick="handleClick"> because that's inline JS, so that's kind of a bummer.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...