From 7d1ca956a7a09cb3777114d3c8849415382066fd Mon Sep 17 00:00:00 2001
From: Jonas Heinrich <heinrich@synyx.de>
Date: Thu, 22 Feb 2024 19:19:30 +0100
Subject: [PATCH] Enable HMR depending on debug mode

Signed-off-by: Jonas Heinrich <heinrich@synyx.de>
---
 .../Middleware/Security/CSPMiddleware.php             | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
index 60a7cef8fa1d2..8741d312f3e88 100644
--- a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
@@ -74,6 +74,17 @@ public function afterController($controller, $methodName, Response $response): R
 			$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
 		}
 
+		// Loosen security presets in debug mode to enable development
+		// tools functionality
+		$debugging = \OC::$server->getConfig()->getSystemValue('debug', false);
+		if ($debugging) {
+			// Allow vue dev tool to work on Firefox.
+			$defaultPolicy->allowEvalScript(true);
+			// Unblock HMR requests.
+			$defaultPolicy->addAllowedConnectDomain('*');
+			$defaultPolicy->addAllowedScriptDomain('*');
+		}
+
 		$response->setContentSecurityPolicy($defaultPolicy);
 
 		return $response;