On fix unsafe-eval header and websockets on development

atst/app.py

@@ -98,11 +98,15 @@ def set_default_headers(app):
         response.headers[
             "Strict-Transport-Security"
         ] = "max-age=31536000; includeSubDomains"
-        response.headers["Content-Security-Policy"] = "default-src 'self'"
         response.headers["X-Content-Type-Options"] = "nosniff"
         response.headers["X-Frame-Options"] = "SAMEORIGIN"
         response.headers["X-XSS-Protection"] = "1; mode=block"
 
+        if ENV == 'dev':
+            response.headers["Content-Security-Policy"] = "default-src 'self' 'unsafe-eval'; connect-src *"
+        else:
+            response.headers["Content-Security-Policy"] = "default-src 'self' 'unsafe-eval'"
+
         return response