web_renderjs_ui: XXX allow 'unsafe-eval' in script-src XXX

This is for a prototype of integrating https://github.com/rjsf-team/react-jsonschema-form/
which uses ajv which needs such as CSP, see
https://github.com/ajv-validator/ajv/blob/1b07663f3954b48892c7210196f7c6ba08000091/docs/security.md#content-security-policy
for more details

It is probably possible to serve that gadget from an "unsafe" websection
instead of making everything unsafe. If we go this way it seems some inline
styles are sometimes set as well.

bt5/erp5_web_renderjs_ui/PathTemplateItem/web_site_module/renderjs_runner.xml

@@ -357,7 +357,7 @@
         </item>
         <item>
             <key> <string>configuration_content_security_policy</string> </key>
-            <value> <string>default-src \'self\'; img-src \'self\' data: blob:; media-src \'self\' blob:; connect-src \'self\' lab.nexedi.com data:; script-src \'self\'; font-src \'self\'; style-src \'self\' data:; frame-src \'self\' data:</string> </value>
+            <value> <string>default-src \'self\'; img-src \'self\' data: blob:; media-src \'self\' blob:; connect-src \'self\' lab.nexedi.com data:; script-src \'unsafe-eval\' \'self\'; font-src \'self\'; style-src \'self\' data:; frame-src \'self\' data:</string> </value>
         </item>
         <item>
             <key> <string>configuration_default_view_action_reference</string> </key>