Support Basic non-Strict Content-Security Policy (CSP)

[rajsite]

If I configure a page using the OWASP recommended Basic non-Strict CSP Policy, i.e. for example by adding the following <meta> tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-ancestors 'self'; form-action 'self';">

I get an error similar to the following in Chrome due to eval / Function constructor usage:

    Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at Function (<anonymous>)
    at compile (arquero.js?v=01b19c5c:2969:10)
    at expr (arquero.js?v=01b19c5c:2973:27)
    at Object.value (arquero.js?v=01b19c5c:8802:66)
    at parse_default (arquero.js?v=01b19c5c:8817:9)
    at derive (arquero.js?v=01b19c5c:9955:30)
    at ColumnTable.derive (arquero.js?v=01b19c5c:23547:12)
    at main.ts:12:4

It would be great to be able to use arquero without requiring unsafe-eval (even if it's a teeny bit slower 🐢). Example stackblitz.