From ec09c27a38f685e4023cc3a1c4178bab9700557a Mon Sep 17 00:00:00 2001
From: George Drummond <george-ctr@friends.dds.mil>
Date: Thu, 13 Dec 2018 13:54:19 -0500
Subject: [PATCH] On fix unsafe-eval header and websockets on development

---
 atst/app.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/atst/app.py b/atst/app.py
index 7cc3574d..5d79d9b5 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -98,11 +98,15 @@ def set_default_headers(app):
         response.headers[
             "Strict-Transport-Security"
         ] = "max-age=31536000; includeSubDomains"
-        response.headers["Content-Security-Policy"] = "default-src 'self'"
         response.headers["X-Content-Type-Options"] = "nosniff"
         response.headers["X-Frame-Options"] = "SAMEORIGIN"
         response.headers["X-XSS-Protection"] = "1; mode=block"
 
+        if ENV == 'dev':
+            response.headers["Content-Security-Policy"] = "default-src 'self' 'unsafe-eval'; connect-src *"
+        else:
+            response.headers["Content-Security-Policy"] = "default-src 'self' 'unsafe-eval'"
+
         return response