always fallback legacy build when CSP

[yoyo930021]

Describe the bug

We use this line for detecting browser support.

vite/packages/plugin-legacy/index.js

Line 21 in 08a1ec7

const dynamicFallbackInlineCode = `!function(){try{new Function("m","return import(m)")}catch(o){console.warn("vite: loading legacy build because dynamic import is unsupported, syntax error above should be ignored");var e=document.getElementById("${legacyPolyfillId}"),n=document.createElement("script");n.src=e.src,n.onload=function(){${systemJSInlineCode}},document.body.appendChild(n)}}();`

but new Function code doesn't allow when CSP defaults.
So the browser will always fallback.
CSP hash can't ignore unsafe-eval.

Reproduction

HTTP server header

Content-Security-Policy: default-src 'self'

And Using @vite/plugin-legacy

Project: https://github.com/yoyo930021/vite-legacy-csp-bug

System Info

System:
    OS: macOS 11.6
    CPU: (8) x64 Intel(R) Core(TM) i5-1038NG7 CPU @ 2.00GHz
    Memory: 2.49 GB / 16.00 GB
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 14.18.1 - ~/.volta/tools/image/node/14.18.1/bin/node
    Yarn: 2.4.2 - ~/.volta/tools/image/yarn/1.22.10/bin/yarn
    npm: 7.22.0 - ~/.volta/tools/image/npm/7.22.0/bin/npm
  Browsers:
    Edge: 96.0.1054.34
    Firefox Developer Edition: 95.0
    Firefox Nightly: 96.0a1
    Safari: 15.0

Used Package Manager

yarn

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[Jax-p]

Did you find any walkaround for this?

[yoyo930021]

Did you find any walkaround for this?

No, I allow unsafe-eval for temp.
But I have some idea to fix it. Maybe I will add a PR.

[yoyo930021]

Did you find any walkaround for this?

No, I allow unsafe-eval for temp. But I have some idea to fix it. Maybe I will add a PR.

I open a PR about this. #6535
Maybe someone can test it.

[yoyo930021]

Do we have any release plans?

[patak-dev]

We will release it in tandem with vite 2.9, hopefully this week