From 1cab51249ecfb1c5e4902ed3eda2156eccca2f92 Mon Sep 17 00:00:00 2001
From: Bruno Windels <brunow@element.io>
Date: Thu, 4 Feb 2021 11:31:42 +0100
Subject: [PATCH] use same csp header for local dev as matrix.to

---
 scripts/serve-local.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/serve-local.js b/scripts/serve-local.js
index 02581f9..08e500d 100644
--- a/scripts/serve-local.js
+++ b/scripts/serve-local.js
@@ -30,6 +30,8 @@ const serve = serveStatic(
 			res.setHeader("Pragma", "no-cache");
 			res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
 			res.setHeader("Expires", "Wed, 21 Oct 2015 07:28:00 GMT");
+            // same CSP as matrix.to server is using, so local testing happens under similar environment
+            res.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; connect-src *; font-src 'self'; manifest-src 'self'; form-action 'self'; navigate-to *;");
 		},
 		index: ['index.html', 'index.htm']
 	}
-- 
GitLab