From 3d9a2d8251b71378a794fc50cbb8f1b5f98da3d0 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Mon, 8 Jul 2019 13:31:43 +0200
Subject: [PATCH] Pagure: only set the CSP headers in production, in staging
 use the application ones

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 roles/pagure/frontend/templates/securityheaders.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/pagure/frontend/templates/securityheaders.conf b/roles/pagure/frontend/templates/securityheaders.conf
index de91a0e803..0ed22cfaa9 100644
--- a/roles/pagure/frontend/templates/securityheaders.conf
+++ b/roles/pagure/frontend/templates/securityheaders.conf
@@ -2,4 +2,6 @@ Header always set X-Frame-Options "ALLOW-FROM https://pagure.io/"
 Header always set X-Xss-Protection "1; mode=block"
 Header always set X-Content-Type-Options "nosniff"
 Header always set Referrer-Policy "same-origin"
+{% if env != 'pagure-staging' %}
 Header always set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apps.fedoraproject.org; style-src 'self' 'unsafe-inline' https://apps.fedoraproject.org"
+{% endif %}