Chrome打包的应用程序安全策略

我需要在用Backbone.js编写的Chrome打包应用程序中创建RSA签名jsrssign我得到：

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an 
allowed source of script in the following Content Security Policy directive: 
"default-src 'self' chrome-extension-resource:". Note that 'script-src' was 
not explicitly set, so 'default-src' is used as a fallback.

我尝试设置content_security_policy，但它不适用于打包的应用程序。那么如何解决这个问题呢？

导致问题的代码是：

var sig = new KJUR.crypto.Signature({"alg": "SHA1withRSA", "prov": "cryptojs/jsrsa"});

lib正在调用eval:

this.md = eval(KJUR.crypto.Util.CRYPTOJSMESSAGEDIGESTNAME[alg]).create();