fix: do not trigger CSP violations when checking eval (#30991)

* fix: do not trigger CSP violations when checking eval

* Update shell/renderer/api/electron_api_web_frame.cc

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>

lib/renderer/security-warnings.ts

@@ -77,15 +77,8 @@ const isLocalhost = function () {
  *
  * @returns {boolean} Is a CSP with `unsafe-eval` set?
  */
-const isUnsafeEvalEnabled: () => Promise<boolean> = function () {
-  return webFrame.executeJavaScript(`(${(() => {
-    try {
-      eval(window.trustedTypes.emptyScript); // eslint-disable-line no-eval
-    } catch {
-      return false;
-    }
-    return true;
-  }).toString()})()`, false);
+const isUnsafeEvalEnabled = () => {
+  return webFrame._isEvalAllowed();
 };
 
 const moreInformation = `\nFor more information and help, consult
@@ -174,16 +167,14 @@ const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPref
  * Logs a warning message about unset or insecure CSP
  */
 const warnAboutInsecureCSP = function () {
-  isUnsafeEvalEnabled().then((enabled) => {
-    if (!enabled) return;
+  if (!isUnsafeEvalEnabled()) return;
 
-    const warning = `This renderer process has either no Content Security
-    Policy set or a policy with "unsafe-eval" enabled. This exposes users of
-    this app to unnecessary security risks.\n${moreInformation}`;
+  const warning = `This renderer process has either no Content Security
+  Policy set or a policy with "unsafe-eval" enabled. This exposes users of
+  this app to unnecessary security risks.\n${moreInformation}`;
 
-    console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
-      'font-weight: bold;', warning);
-  }).catch(() => {});
+  console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
+    'font-weight: bold;', warning);
 };
 
 /**