Merge pull request #5622 from benjaoming/fix-csp-dev

CSP header should not block development Central Server
learningequality · Dec 3, 2019 · 64fe3fd · 64fe3fd
2 parents 8937a36 + 504a23f
commit 64fe3fd
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/kalite/distributed/middleware.py b/kalite/distributed/middleware.py
@@ -30,7 +30,16 @@ def process_response(self, request, response):
         if getattr(settings, 'CSP_REPORT_ONLY', False):
             header += '-Report-Only'
 
-        response[header] = "default-src 'self' 'unsafe-eval' 'unsafe-inline' data: *.learningequality.org; img-src data: *; script-src 'self' *.learningequality.org 'unsafe-eval' 'unsafe-inline'"
+        response[header] = "default-src 'self' 'unsafe-eval' 'unsafe-inline' data: *.learningequality.org{append_srcs}; img-src data: *; script-src 'self' *.learningequality.org 'unsafe-eval' 'unsafe-inline'"
+
+        # Add potentially alternative hosts configured as central server
+        if "learningequality.org" not in settings.CENTRAL_SERVER_HOST:
+            response[header] = response[header].format(
+                append_srcs=" " + settings.CENTRAL_SERVER_HOST
+            )
+        else:
+            response[header] = response[header].format(append_srcs="")
+
         return response