The best way to fix this would be to take that $.ajax(…) call out of the document and move it into an external file called ajax-call.js, and then do the following:
<script src="ajax-call.js"></script>
The reason that’s better is, if you’re already going to the effort of setting a CSP policy for your document, then you should ideally go to the additional effort of removing all inline scripts.
But if for some reason you really need to keep the script inline in the document, you can change that meta element so the exact sha256 hash value from the error message is included as a source for the script-src directive, like this (with some line breaks added just for readability):
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data:gap: http://www.visitsingapore.com
https://ssl.gstatic.com 'unsafe-eval';
style-src 'self' 'unsafe-inline';
media-src *;
script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">
And the following are a couple places to get a bit more information: