allow inline styles. fixes #644

server/routes/index.js

@@ -42,28 +42,26 @@ module.exports = function(app) {
       force: !IS_DEV
     })
   );
-  if (!IS_DEV) {
+  app.use(
-    app.use(
+    helmet.contentSecurityPolicy({
-      helmet.contentSecurityPolicy({
+      directives: {
-        directives: {
+        defaultSrc: ["'self'"],
-          defaultSrc: ["'self'"],
+        connectSrc: [
-          connectSrc: [
+          "'self'",
-            "'self'",
+          'https://sentry.prod.mozaws.net',
-            'https://sentry.prod.mozaws.net',
+          'https://www.google-analytics.com'
-            'https://www.google-analytics.com'
+        ],
-          ],
+        imgSrc: ["'self'", 'https://www.google-analytics.com'],
-          imgSrc: ["'self'", 'https://www.google-analytics.com'],
+        scriptSrc: ["'self'"],
-          scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'", 'https://code.cdn.mozilla.net'],
-          styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
+        fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
-          fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
+        formAction: ["'none'"],
-          formAction: ["'none'"],
+        frameAncestors: ["'none'"],
-          frameAncestors: ["'none'"],
+        objectSrc: ["'none'"],
-          objectSrc: ["'none'"],
+        reportUri: '/__cspreport__'
-          reportUri: '/__cspreport__'
+      }
-        }
+    })
-      })
+  );
-    );
-  }
   app.use(
     busboy({
       limits: {