From 74718d6361b83148294628aff3ae5943cab822b9 Mon Sep 17 00:00:00 2001 From: Danny Coates Date: Tue, 29 Aug 2017 11:19:21 -0700 Subject: [PATCH] disable CSP when env = development --- server/routes/index.js | 45 ++++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/server/routes/index.js b/server/routes/index.js index b9001957..d08194c4 100644 --- a/server/routes/index.js +++ b/server/routes/index.js @@ -7,6 +7,7 @@ const storage = require('../storage'); const config = require('../config'); const pages = require('./pages'); // const lang = require('fluent-langneg') +const IS_DEV = config.env === 'development'; module.exports = function(app) { app.use( @@ -18,29 +19,31 @@ module.exports = function(app) { app.use( helmet.hsts({ maxAge: 31536000, - force: config.env === 'production' - }) - ); - app.use( - helmet.contentSecurityPolicy({ - directives: { - defaultSrc: ["'self'"], - connectSrc: [ - "'self'", - 'https://sentry.prod.mozaws.net', - 'https://www.google-analytics.com' - ], - imgSrc: ["'self'", 'https://www.google-analytics.com'], - scriptSrc: ["'self'"], - styleSrc: ["'self'", 'https://code.cdn.mozilla.net'], - fontSrc: ["'self'", 'https://code.cdn.mozilla.net'], - formAction: ["'none'"], - frameAncestors: ["'none'"], - objectSrc: ["'none'"], - reportUri: '/__cspreport__' - } + force: !IS_DEV }) ); + if (!IS_DEV) { + app.use( + helmet.contentSecurityPolicy({ + directives: { + defaultSrc: ["'self'"], + connectSrc: [ + "'self'", + 'https://sentry.prod.mozaws.net', + 'https://www.google-analytics.com' + ], + imgSrc: ["'self'", 'https://www.google-analytics.com'], + scriptSrc: ["'self'"], + styleSrc: ["'self'", 'https://code.cdn.mozilla.net'], + fontSrc: ["'self'", 'https://code.cdn.mozilla.net'], + formAction: ["'none'"], + frameAncestors: ["'none'"], + objectSrc: ["'none'"], + reportUri: '/__cspreport__' + } + }) + ); + } app.use( busboy({ limits: {