Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode

author Haelwenn (lanodan) Monnier <contact@hacktivis.me>

Fri, 1 Feb 2019 12:10:50 +0000 (13:10 +0100)

committer Haelwenn (lanodan) Monnier <contact@hacktivis.me>

Tue, 12 Feb 2019 21:12:11 +0000 (22:12 +0100)
author Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Fri, 1 Feb 2019 12:10:50 +0000 (13:10 +0100)
committer Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Tue, 12 Feb 2019 21:12:11 +0000 (22:12 +0100)
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex

index 3c8e6a18f730c709df59d6c2e3930cca06367f5b..05e935f2c5b434ad8ebd12c02f69b89155993567 100644 (file)
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@@ -43,9 +43,11 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
        "media-src 'self' https:",
        "style-src 'self' 'unsafe-inline'",
        "font-src 'self'",
-      "script-src 'self'",
        "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
        "manifest-src 'self'",
+      if Mix.env() == :dev do
+        "script-src 'self' 'unsafe-eval'"
+      end,
        if scheme == "https" do
          "upgrade-insecure-requests"
        end
author	Haelwenn (lanodan) Monnier <contact@hacktivis.me>
	Fri, 1 Feb 2019 12:10:50 +0000 (13:10 +0100)
committer	Haelwenn (lanodan) Monnier <contact@hacktivis.me>
	Tue, 12 Feb 2019 21:12:11 +0000 (22:12 +0100)