Describe the bug
Cannot load netlify cms js 2.9.1 without permitting the content security policy directive script-src: 'unsafe-eval'

To Reproduce
Steps to reproduce the behavior. For example:

1. set the content security policy for a site to only permit certain script-src urls and NOT 'unsafe-eval'
2. rebuild and deploy your website
3. Visit the netlify cms admin url
4. See error in the console output

Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

    at new Function (<anonymous>)
    at v.D (index.js:120)
    at v.l (resolve.js:54)
    at Object.L [as resolveRef] (index.js:189)
    at Object.e.exports [as code] (ref.js:21)
    at Object.e.exports [as validate] (validate.js:285)
    at Object.e.exports [as code] (properties.js:195)
    at e.exports (validate.js:382)
    at D (index.js:88)
    at v.e (index.js:55)

Expected behavior
Setting the content security policy script-src directive WITHOT 'unsafe-eval' should load netlify cms at the admin url

Screenshots

Applicable Versions:

• Netlify CMS version: 2.9.1
• Chrome version: 74.0.3729.131

from https://unpkg.com/netlify-cms@^2.9.1/dist/netlify-cms.js

CMS configuration

Additional context