Symfony version(s) affected: 4.1.0

Description
Commit 0cd51ae added a call to Javascript's eval function, which is not allowed under a strict content security policy. We have this strict policy on development as well in production because we don't want to find out about CSP violations in production only.

How to reproduce
Open a webpage with the Symfony profiling toolbar while CSP is enabled and unsafe-eval is not allowed

Possible Solution
It would be best if eval wouldn't be needed at all, but I'm not sure if that's an option