From 88c9d6ae573cdd8456d6b9403c9cf8cc4ef22f73 Mon Sep 17 00:00:00 2001
From: sneakers-the-rat <sneakers-the-rat@protonmail.com>
Date: Sat, 10 Aug 2024 22:34:49 -0700
Subject: [PATCH] rm script-src nonce in development bc it prevents relaxing
 other CSPs for devtools

---
 config/initializers/content_security_policy.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 97993f78c88bb1..0b34aadf52506b 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -69,7 +69,11 @@ def sso_host
 
 Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
 
-Rails.application.config.content_security_policy_nonce_directives = %w(style-src script-src)
+Rails.application.config.content_security_policy_nonce_directives = if Rails.env.development?
+                                                                      %w(style-src)
+                                                                    else
+                                                                      %w(style-src script-src)
+                                                                    end
 
 Rails.application.reloader.to_prepare do
   PgHero::HomeController.content_security_policy do |p|
@@ -93,7 +97,7 @@ def sso_host
     end
 
     LetterOpenerWeb::LettersController.after_action do
-      request.content_security_policy_nonce_directives = %w(script-src)
+      request.content_security_policy_nonce_directives = %w()
     end
   end
 end