Disable eval from webviews.

It can be trivially exploited online, so no service page should be
using this. I'll gladly help people report bugs upstream if It
comes down to that, but electron strongly recommends this.

This is reintroduced from c982df1a7a
as ICQ seems to've fixed the issue, despite not honoring bug bounty.

resources/js/rambox-service-api.js

@@ -65,3 +65,11 @@ Notification.permission = NativeNotification.permission;
 Notification.requestPermission = NativeNotification.requestPermission.bind(Notification);
 
 window.close = function() { location.href = location.origin };
+
+/**
+ * Disable eval for security reasons.
+ */
+  // eslint-disable-next-line no-eval
+  window.eval = global.eval = function () {
+    throw new Error(`Sorry, this app does not support window.eval().`);
+  };