From 0ffd8794553b43ba5e86365d9530af7eb0ead755 Mon Sep 17 00:00:00 2001
From: "Joe H. Rahme" <joehakimrahme@gmail.com>
Date: Tue, 26 Jan 2021 15:04:23 +0100
Subject: [PATCH] Removes CSP headers in dev environment

The CSP headers included in the requests are causing failures with
fontawesome. This in turn is causing some functionality (like pinning or
banning specific items in the builders) to disappear.

This patch removes the CSP headers from requests if the app is launched
in dev mode. It does make the app vunlerable to XSS attacks but, hey,
it's dev mode. Don't run this in production anyway.

Fixes #507
---
 server.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 010f2816b..1d6bd40fd 100644
--- a/server.js
+++ b/server.js
@@ -70,7 +70,9 @@ if (config.isDev) {
   delete cspDirectives.reportUri;
 }
 
-app.use(helmet.contentSecurityPolicy({ directives: cspDirectives, reportOnly: !config.isDev }));
+if (!config.isDev) {
+  app.use(helmet.contentSecurityPolicy({ directives: cspDirectives }));
+}
 
 // Static middleware
 if (config.isProd || process.env.DEV_USE_DIST === "yes") {