Getting EvalError with VueTorrent v2.5.0 and qBit 4.6.3

[favna]

I am pointing my qBitTorrent to a folder of vuetorrent which has the proper user permissions (owned by the user who owns the systemctl managed service and with 777 permissions (one of the things I tried)) and when I then go to my qBitTorrent I get this error spammed over and over again:

vue-EkRptf2M.js:1 EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

    at new Function (<anonymous>)
    at Ly (vue-EkRptf2M.js:19:8721)
    at Gd (vue-EkRptf2M.js:19:10705)
    at Gc (vue-EkRptf2M.js:19:9774)
    at vue-EkRptf2M.js:23:4954
    at Re (vue-EkRptf2M.js:23:4675)
    at Proxy.Ne (vue-EkRptf2M.js:23:4940)
    at index-fj5-vamU.js:8:357106
    at Object.r [as default] (vue-EkRptf2M.js:1:19543)
    at default (index-fj5-vamU.js:8:156214)

The only way to get out of this loop is stopping qBitTorrent, editing the conf file to disable the custom web UI and starting qBitTorrent again.

• I am running on a Linux (Ubuntu Server 22.04.3) server
• The folder permissions should be set correctly
• qBitTorrent is exposed through NGINX, specifically a config managed by Swizzin
  The nginx config is:

location /qbt {
    return 301 /qbittorrent/;
}

location /qbittorrent/ {
    proxy_pass              http://$remote_user.qbittorrent;
    proxy_http_version      1.1;
    proxy_set_header        X-Forwarded-Host        $http_host;
    http2_push_preload on; # Enable http2 push

    rewrite ^/qbittorrent/(.*) /$1 break;
    proxy_cookie_path / "/qbittorrent/; Secure";

    auth_basic "What's the password?";
    auth_basic_user_file /some/path;
}

I previously used v1.8.0 and that worked fine. To upgrade I downloaded the latest zip, nuked the WebUI folder and created it anew when unzipping. I also tried the nightly release and setting the Content-Security-Policy but to no avail.

It doesn't matter if I route through my Cloudflare host or through https://<my-local-ip-goes-here>/qbittorrent

[favna]

I found the issue. Turns out Swizzin automatically added this to the custom Http headers in qbittorrent:

WebUI\CustomHTTPHeaders="content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline' theme-park.dev raw.githubusercontent.com use.fontawesome.com; img-src 'self' theme-park.dev raw.githubusercontent.com data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; font-src use.fontawesome.com;\n"

Removing this config solves the problem.