Disable eval from webviews.

It can be trivially exploited online, so no service page should be
using this. I'll gladly help people report bugs upstream if It
comes down to that, but electron strongly recommends this.

resources/js/rambox-service-api.js

@@ -63,3 +63,11 @@ Notification = function(title, options) {
 Notification.prototype = NativeNotification.prototype;
 Notification.permission = NativeNotification.permission;
 Notification.requestPermission = NativeNotification.requestPermission.bind(Notification);
+
+/**
+ * Disable eval for security reasons.
+ */
+  // eslint-disable-next-line no-eval
+  window.eval = global.eval = function () {
+    throw new Error(`Sorry, this app does not support window.eval().`);
+  };