Are you using eval?
I got this:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-iEsD2if45rrVbpVQzGD2Cw=='".
Is is, with the Function syntax: https://github.com/mikolalysenko/box-intersect/blob/master/lib/brute.js#L138
Maybe use something like https://github.com/patriksimek/vm2/issues/85
I don't think vm2 will help websites to use safe CSP with this project, also it may harm performances. Maybe an option could specify if we want to switch between the fast generated function, or a not-generated-function if the maintainer really want to keep the generated function?
@mikolalysenko are you interested in a PR to solve that problem? I really think it's important to allow websites to use a strong CSP.