On fix unsafe-eval header and websockets on development

2018-12-13 13:54:19 -05:00 · 2018-12-13 13:54:19 -05:00 · ec09c27a38
commit ec09c27a38
parent 5da374bbc9
1 changed files with 5 additions and 1 deletions
--- a/atst/app.py
+++ b/atst/app.py
@ -98,11 +98,15 @@ def set_default_headers(app):
        response.headers[
            "Strict-Transport-Security"
        ] = "max-age=31536000; includeSubDomains"
-        response.headers["Content-Security-Policy"] = "default-src 'self'"
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "SAMEORIGIN"
        response.headers["X-XSS-Protection"] = "1; mode=block"

+        if ENV == 'dev':
+            response.headers["Content-Security-Policy"] = "default-src 'self' 'unsafe-eval'; connect-src *"
+        else:
+            response.headers["Content-Security-Policy"] = "default-src 'self' 'unsafe-eval'"
+
        return response