No progressive enhancement for unsafe-eval

[niklasf]

With the current proposal, it appears to be impossible to benefit from wasm-unsafe-eval through progressive enhancement. For maximum browser compatibility, unsafe-eval is still required and due to

If the unsafe-eval source keyword is used, then this overrides any occurence of wasm-unsafe-eval in the CSP policy.

specifying both gives no benefit.

There is prior art for enabling progressive enhancement by doing the opposite, for example in the interaction of unsafe-inline and nonce-*:

script-src: 'unsafe-inline'; 'nonce-foo'

is compatible with browsers that do not recognize nonce-*, but browsers that do recognize nonce-* use the more restrictive nonce and ignore the more general 'unsafe-inline'.