We have a hard dependency on an javascript API that requires 'unsafe-inline' 'unsafe-eval' if used in a CSP. If we add a CSP header with the values below can we improve our security posture by limiting whitelisting the origins of where the scripts may be executed from or are we opening ourselves up more by explicitly allowing 'unsafe-inline' 'unsafe-eval'? Our current thinking that without a CSP we are implicitly allowing in inline scripting and eval otherwise our API would not work, so what is the downside of adding 'unsafe-inline' 'unsafe-eval' explicitly to our CSP?
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://<localserver> https://<remoteserver>