fix(csp): add unsafe-eval to unblock Matomo Cloud tracker

public/.ic-assets.json5

@@ -8,7 +8,11 @@
       // Starlight uses inline <script> tags for theme toggle, mobile menu,
       // sidebar state, and search. 'unsafe-inline' is required for these.
       // Pagefind search uses WebAssembly, which requires 'wasm-unsafe-eval'.
-      "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://cdn.matomo.cloud; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://www.plantuml.com; font-src 'self' data:; connect-src 'self' https://icp0.io https://*.icp0.io https://internetcomputer.matomo.cloud; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests",
+      // 'unsafe-eval' is required by the Matomo Cloud tracker (matomo.js bundles
+      // plugins such as Form Analytics or Heatmaps that call eval() internally).
+      // Better long-term fix: disable those plugins in the Matomo Cloud dashboard
+      // so the bundled matomo.js no longer needs eval(), then remove 'unsafe-eval'.
+      "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://cdn.matomo.cloud; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://www.plantuml.com; font-src 'self' data:; connect-src 'self' https://icp0.io https://*.icp0.io https://internetcomputer.matomo.cloud; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests",
       "X-Content-Type-Options": "nosniff",
       "Referrer-Policy": "strict-origin-when-cross-origin",
       "Permissions-Policy": "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"