Inline JavaScript (and CSS) is a security and performance issue. Content-Security-Policy exists to tell browsers not to execute inline JavaScript.

The Web Profiler Toolbar however uses inline JavaScript. Why? It would also be possible to add a script tag to load the missing JavaScript.

Informations can be passed from the server to the JavaScript code easily without inline JavaScript:

<script class="embedded-json-data" type="application/json" data-name="myActiveProfile">
   {"id": 123, "name": "ido", "language": "en"}
</script>

and in your JavaScrip (angular here)t:

var selector = 'script.embedded-json-data[data-name="' + name + '"]',
    node = document.querySelector(selector),
    data = angular.fromJson(node.innerHTML);

• Datenübergabe innerhalb Webapplikationen (German)
• https://mathiasbynens.be/notes/json-dom-csp