in dev, allow dev FE

author FloatingGhost <hannah@coffee-and-dreams.uk>

Fri, 14 Apr 2023 15:36:40 +0000 (16:36 +0100)

committer FloatingGhost <hannah@coffee-and-dreams.uk>

Fri, 14 Apr 2023 15:36:40 +0000 (16:36 +0100)
author FloatingGhost <hannah@coffee-and-dreams.uk>
Fri, 14 Apr 2023 15:36:40 +0000 (16:36 +0100)
committer FloatingGhost <hannah@coffee-and-dreams.uk>
Fri, 14 Apr 2023 15:36:40 +0000 (16:36 +0100)
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex

index b1f1ada94c98553a49393bd69e790638d5372c48..570aeefff8d88ce8492dbdb533fd4c84545b1b28 100644 (file)
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -8,6 +8,8 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
  
    require Logger
  
+  @mix_env Mix.env()
+
    def init(opts), do: opts
  
    def call(conn, _options) do
@@ -114,7 +116,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
      style_src = "style-src 'self' '#{nonce_tag}'"
      font_src = "font-src 'self'"
  
-    script_src = "script-src 'self' '#{nonce_tag}'"
+    script_src = "script-src 'self' '#{nonce_tag}' "
+    script_src = if @mix_env == :dev do
+      "script-src 'self' 'unsafe-eval' 'unsafe-inline'"
+    else
+      script_src
+    end
  
      report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
      insecure = if scheme == "https", do: "upgrade-insecure-requests"
author	FloatingGhost <hannah@coffee-and-dreams.uk>
	Fri, 14 Apr 2023 15:36:40 +0000 (16:36 +0100)
committer	FloatingGhost <hannah@coffee-and-dreams.uk>
	Fri, 14 Apr 2023 15:36:40 +0000 (16:36 +0100)