Disable CSP headers for Selenium requests

See comment. Should allow scripts to run on e.g. the account creation form and other secure forms. Needed in a subsequent commit to access `window.MB` in a Selenium command.
metabrainz · Feb 23, 2023 · 1e9c3bf · 1e9c3bf
1 parent d6329b5
commit 1e9c3bf
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/MusicBrainz/Server.pm b/lib/MusicBrainz/Server.pm
@@ -428,6 +428,9 @@ before dispatch => sub {
         my $cache_namespace = DBDefs->CACHE_NAMESPACE;
         *DBDefs::CACHE_NAMESPACE = sub { $cache_namespace . $database . ':' };
         *DBDefs::ENTITY_CACHE_TTL = sub { 1 };
+        # CSP script-src directives conflict with `Function` constructor calls
+        # injected by babel-plugin-instanbul (unsafe-eval).
+        $self->res->header('Content-Security-Policy', '');
     } else {
         # Use a fresh database connection for every request, and
         # remember to disconnect at the end.