X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fplugs%2Fhttp_security_plug.ex;h=d7cff73436a83701ed02fbfe16b85174edea0265;hb=refs%2Fheads%2Fstable;hp=b1f1ada94c98553a49393bd69e790638d5372c48;hpb=c2ae3273d5d8667967891e9c1672c653188e5446;p=akkoma

diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index b1f1ada94..d7cff7343 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -8,6 +8,8 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
 
   require Logger
 
+  @mix_env Mix.env()
+
   def init(opts), do: opts
 
   def call(conn, _options) do
@@ -114,7 +116,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
     style_src = "style-src 'self' '#{nonce_tag}'"
     font_src = "font-src 'self'"
 
-    script_src = "script-src 'self' '#{nonce_tag}'"
+    script_src = "script-src 'self' '#{nonce_tag}' "
+
+    script_src =
+      if @mix_env == :dev do
+        "script-src 'self' 'unsafe-eval' 'unsafe-inline'"
+      else
+        script_src
+      end
 
     report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
     insecure = if scheme == "https", do: "upgrade-insecure-requests"