In \adm\style\progress_bar.html, there is this JS function call:

setTimeout("close_popup()", 1000);

It can simply be turned into:

setTimeout(close_popup, 1000);

This would allow a safer Content Security Policy, because "script-src unsafe-eval" would no longer be needed: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions

We found no other occurrences of unsafe eval expressions.