Change CSP during development for faster source maps (#16982)

2025-02-25 18:55:24 -06:00 · 2021-02-19 11:41:07 -05:00
parent 813f60649f
commit 9aaf29ffb4
1 changed files with 9 additions and 1 deletions
--- a/web/handlers.go
+++ b/web/handlers.go
@@ -172,11 +172,19 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if h.IsStatic {
 		// Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking
 		w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+
+		// Add unsafe-eval to the content security policy for faster source maps in development mode
+		devCSP := ""
+		if model.BuildNumber == "dev" {
+			devCSP = " 'unsafe-eval'"
+		}
+
 		// Set content security policy. This is also specified in the root.html of the webapp in a meta tag.
 		w.Header().Set("Content-Security-Policy", fmt.Sprintf(
-			"frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com%s%s",
+			"frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com%s%s%s",
 			cloudCSP,
 			h.cspShaDirective,
+			devCSP,
 		))
 	} else {
 		// All api response bodies will be JSON formatted by default