From 504a23f10455aab1c32885cbed8d30adaacab54a Mon Sep 17 00:00:00 2001
From: Benjamin Bach <benjamin@learningequality.org>
Date: Tue, 3 Dec 2019 14:49:28 +0100
Subject: [PATCH] CSP header should not block development Central Server

---
 kalite/distributed/middleware.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/kalite/distributed/middleware.py b/kalite/distributed/middleware.py
index 21a443a06c..cd6666586e 100644
--- a/kalite/distributed/middleware.py
+++ b/kalite/distributed/middleware.py
@@ -30,7 +30,16 @@ def process_response(self, request, response):
         if getattr(settings, 'CSP_REPORT_ONLY', False):
             header += '-Report-Only'
 
-        response[header] = "default-src 'self' 'unsafe-eval' 'unsafe-inline' data: *.learningequality.org; img-src data: *; script-src 'self' *.learningequality.org 'unsafe-eval' 'unsafe-inline'"
+        response[header] = "default-src 'self' 'unsafe-eval' 'unsafe-inline' data: *.learningequality.org{append_srcs}; img-src data: *; script-src 'self' *.learningequality.org 'unsafe-eval' 'unsafe-inline'"
+        
+        # Add potentially alternative hosts configured as central server
+        if "learningequality.org" not in settings.CENTRAL_SERVER_HOST:
+            response[header] = response[header].format(
+                append_srcs=" " + settings.CENTRAL_SERVER_HOST
+            )
+        else:
+            response[header] = response[header].format(append_srcs="")
+
         return response