<script>elements, and runs their content via eval(). This doesn't work with a Content-Security-Policy in place, because eval is forbidden.
In my case, the script just wanted to bind a handler to all the newly-added elements that were also provided in the response.
Switching to binding the handler to the modal itself and filtering the interesting children meant that not only did I get the memory and CPU improvements of binding a single handler one time, but it eliminated the script—and the need to
evalit—from the response.
Before, event handlers were bound with this code in the response, via jQuery secretly calling
Afterwards, the response contained no script, and the event handlers were bound natively in my page initialization code:
$('#clientmodal').on('click', '#clientlist a', activateClient);
The content of
#clientmodalwas replaced whenever the modal was opened, but the modal itself (and its event handler) remained in place.