Use daily-js "avoidEval" to remove "unsafe-eval" from CSP headers

[abhinavankur-sw]

When using vapi sdk I am getting this CSP error

Failed to load call object bundle https://c.daily.co/call-machine/versioned/0.80.0/static/call-machine-object-bundle.js: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive

Daily-js has this option to avoidEval and use code path. Link. Is there a way to use this config from vapi?

[abhinavankur-sw]

While looking into the code. I found this.

constructor(apiToken: string, apiBaseUrl?: string, dailyCallConfig?: Pick<DailyAdvancedConfig, 'avoidEval' | 'alwaysIncludeMicInPermissionPrompt'>, dailyCallObject?: Pick<DailyFactoryOptions, 'audioSource' | 'startAudioOff'>);

export interface DailyAdvancedConfig {
  /**
   * @deprecated This property will be removed. Instead, use sendSettings, which is found in DailyCallOptions.
   */
  camSimulcastEncodings?: any[];
  /**
   * @deprecated This property will be removed. Use the method updateSendSettings instead.
   */
  disableSimulcast?: boolean;
  keepCamIndicatorLightOn?: boolean;
  /**
   * @deprecated This property will be removed. All calls use v2CamAndMic.
   */
  v2CamAndMic?: boolean;
  /**
   * @deprecated This property will be removed. It has no affect.
   */
  fastConnect?: boolean;
  h264Profile?: string;
  micAudioMode?: 'music' | 'speech' | DailyMicAudioModeSettings;
  noAutoDefaultDeviceChange?: boolean;
  preferH264?: boolean;
  preferH264ForCam?: boolean;
  preferH264ForScreenSharing?: boolean;
  /**
   * @deprecated This property will be removed. Instead, use sendSettings, which
   *             is found in DailyCallOptions.
   */
  screenSimulcastEncodings?: any[];
  useDevicePreferenceCookies?: boolean;
  /**
   * @deprecated This property will be removed. Instead, use inputSettings,
   *             which is found in DailyCallOptions.
   */
  userMediaAudioConstraints?: MediaTrackConstraints;
  /**
   * @deprecated This property will be removed. Instead, use inputSettings,
   *             which is found in DailyCallOptions.
   */
  userMediaVideoConstraints?: MediaTrackConstraints;
  avoidEval?: boolean;
  callObjectBundleUrlOverride?: string;
  alwaysIncludeMicInPermissionPrompt?: boolean;
  alwaysIncludeCamInPermissionPrompt?: boolean;
  enableIndependentDevicePermissionPrompts?: boolean;
  proxyUrl?: string;
  iceConfig?: DailyIceConfig;
  useLegacyVideoProcessor?: boolean;
}

but when using it, it is still fetching the https://c.daily.co/call-machine/versioned/0.80.0/static/call-machine-object-bundle.js

code:

 new Vapi(import.meta.env.VITE_VAPI_PUBLIC_KEY, null, {
                avoidEval: true,
            });