Persistent Content Security Policy (CSP) 'unsafe-eval' Issue with Entity Operations

Dear Base44 Support Team,

We are encountering a critical and persistent issue where our application fails to create Round entities, specifically when the scores field is part of the entity structure, even if it's an empty object ({}). The application gets stuck with a loading spinner, and the browser console shows the following error:

"The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site. To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings. If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive. ⚠️ Allowing string evaluation comes at the risk of inline script injection." 

Context: Our frontend code is written in React and TypeScript. The issue occurs when attempting to create a Round entity via base44.entities.Round.create(data). Initially, we suspected complex data structures for players and scores might be causing the problem. However, even with a minimal Round entity that includes players: [] and scores: {}, the error persists.

Analysis of the Problem: This error strongly indicates that the Base44 backend/SDK is internally using eval(), new Function(), or similar dynamic code evaluation mechanisms when processing entity data, particularly for fields like scores which are defined as {"type": "object", "additionalProperties": true} in the entity schema. This dynamic evaluation is then blocked by the browser's Content Security Policy, preventing the entity creation process from completing.

Why this is critical:

1. Blocked Functionality: The core functionality of creating a game round is entirely blocked.

2. Security Risk (if unsafe-eval is enforced): Suggesting to add unsafe-eval to the CSP is not a viable solution for a production application, as it introduces significant security vulnerabilities, which is precisely what CSP aims to prevent.

3. Platform Limitation: This appears to be a fundamental limitation or an architectural issue within the Base44 platform's entity handling for flexible schema definitions, rather than an error in our application logic.

We have tried simplifying the data sent during entity creation, but as long as the scores field is part of the entity, the eval()-related CSP error prevents operation.

Request: We urgently request your assistance in resolving this backend-related CSP issue. Could you please investigate how the Base44 platform handles dynamic object schemas (like additionalProperties: true) internally and if it's inadvertently triggering eval()?

A solution that does not require us to weaken our application's security by enabling unsafe-eval is essential.

Thank you for your prompt attention to this matter.

Sincerely, Alex