From b54f4575ee151755779ab26a8818c8499be1ff4e Mon Sep 17 00:00:00 2001 From: Danny Coates Date: Wed, 15 Nov 2017 10:54:13 -0800 Subject: [PATCH] allow inline styles. fixes #644 --- server/routes/index.js | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/server/routes/index.js b/server/routes/index.js index 97ab2ca7..7230d455 100644 --- a/server/routes/index.js +++ b/server/routes/index.js @@ -42,28 +42,26 @@ module.exports = function(app) { force: !IS_DEV }) ); - if (!IS_DEV) { - app.use( - helmet.contentSecurityPolicy({ - directives: { - defaultSrc: ["'self'"], - connectSrc: [ - "'self'", - 'https://sentry.prod.mozaws.net', - 'https://www.google-analytics.com' - ], - imgSrc: ["'self'", 'https://www.google-analytics.com'], - scriptSrc: ["'self'"], - styleSrc: ["'self'", 'https://code.cdn.mozilla.net'], - fontSrc: ["'self'", 'https://code.cdn.mozilla.net'], - formAction: ["'none'"], - frameAncestors: ["'none'"], - objectSrc: ["'none'"], - reportUri: '/__cspreport__' - } - }) - ); - } + app.use( + helmet.contentSecurityPolicy({ + directives: { + defaultSrc: ["'self'"], + connectSrc: [ + "'self'", + 'https://sentry.prod.mozaws.net', + 'https://www.google-analytics.com' + ], + imgSrc: ["'self'", 'https://www.google-analytics.com'], + scriptSrc: ["'self'"], + styleSrc: ["'self'", "'unsafe-inline'", 'https://code.cdn.mozilla.net'], + fontSrc: ["'self'", 'https://code.cdn.mozilla.net'], + formAction: ["'none'"], + frameAncestors: ["'none'"], + objectSrc: ["'none'"], + reportUri: '/__cspreport__' + } + }) + ); app.use( busboy({ limits: {