disable CSP when env = development

This commit is contained in:
Danny Coates 2017-08-29 11:19:21 -07:00
parent ced640c24a
commit 74718d6361
No known key found for this signature in database
GPG Key ID: 4C442633C62E00CB
1 changed files with 24 additions and 21 deletions

View File

@ -7,6 +7,7 @@ const storage = require('../storage');
const config = require('../config');
const pages = require('./pages');
// const lang = require('fluent-langneg')
const IS_DEV = config.env === 'development';
module.exports = function(app) {
app.use(
@ -18,29 +19,31 @@ module.exports = function(app) {
app.use(
helmet.hsts({
maxAge: 31536000,
force: config.env === 'production'
})
);
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
connectSrc: [
"'self'",
'https://sentry.prod.mozaws.net',
'https://www.google-analytics.com'
],
imgSrc: ["'self'", 'https://www.google-analytics.com'],
scriptSrc: ["'self'"],
styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
formAction: ["'none'"],
frameAncestors: ["'none'"],
objectSrc: ["'none'"],
reportUri: '/__cspreport__'
}
force: !IS_DEV
})
);
if (!IS_DEV) {
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
connectSrc: [
"'self'",
'https://sentry.prod.mozaws.net',
'https://www.google-analytics.com'
],
imgSrc: ["'self'", 'https://www.google-analytics.com'],
scriptSrc: ["'self'"],
styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
formAction: ["'none'"],
frameAncestors: ["'none'"],
objectSrc: ["'none'"],
reportUri: '/__cspreport__'
}
})
);
}
app.use(
busboy({
limits: {