Don't attempt to special-case worker CSP.

It doesn't work.

webserver/webserver.go

@@ -88,17 +88,13 @@ func Serve(address string, dataDir string) error {
 	return nil
 }
 
-func cspHeader(w http.ResponseWriter, connect string, unsafeEval bool) {
+func cspHeader(w http.ResponseWriter, connect string) {
 	c := "connect-src ws: wss: 'self'; "
 	if connect != "" {
 		c = "connect-src " + connect + " ws: wss: 'self'; "
 	}
-	s := "script-src 'self'; "
-	if unsafeEval {
-		s = "script-src 'unsafe-eval' 'self'; "
-	}
 	w.Header().Add("Content-Security-Policy",
-		c+s+"img-src data: 'self'; media-src blob: 'self'; default-src 'self'")
+		c+"img-src data: 'self'; media-src blob: 'self'; script-src 'unsafe-eval' 'self'; default-src 'self'")
 
 	// Make browser stop sending referrer information
 	w.Header().Add("Referrer-Policy", "no-referrer")
@@ -211,7 +207,7 @@ func (fh *fileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cspHeader(w, "", r.URL.Path == "/blur-background-worker.js")
+	cspHeader(w, "")
 	p := r.URL.Path
 	// this ensures any leading .. are removed by path.Clean below
 	if !strings.HasPrefix(p, "/") {
@@ -377,7 +373,7 @@ func groupHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	status := g.Status(false, nil)
-	cspHeader(w, status.AuthServer, false)
+	cspHeader(w, status.AuthServer)
 	serveFile(w, r, filepath.Join(StaticRoot, "galene.html"))
 }