Currently Candid uses eval to execute <script> code. Some pages use [CSP script-source](See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) to disallow eval from other sources.

Content-Security-Policy: script-src 'unsafe-eval';

Currently I don't see another solution in the browser. The user has control over which scripts that get executed by using Content Security Policy.