When a jsf page is set with content security such as:
"Content-Security-Policy", "default-src 'self'; script-src 'self';"
it breaks the commandLink which relies on rendering javascript code. It seems that the culprit is the following js code from jsf packaged jsf.js file ($EAP8_HOME/modules/system/layers/base/jakarta/faces/impl/main/jakarta.faces-4.0.11.redhat-00001.jar):

jsf.util.chain = function(source, event) {

if (arguments.length < 3)

// RELEASE_PENDING rogerk - shouldn't this be getElementById instead of null
var thisArg = (typeof source === 'object') ? source : null;

// Call back any scripts that were passed in
for (var i = 2; i < arguments.length; i++) {

var f = new Function("event", arguments[i]);
var returnValue = f.call(thisArg, event);

if (returnValue === false)

}
return true;

};

Especially the call
var f = new Function("event", arguments[i]);
that dynamically creates js function which requires unsafe-eval. This breaks the content security policy.

The commandLink could be as simply as :

<h:commandLink action="#{testBean.doNothing}" value="Click Me"/>