Merge pull request #1634 from muffinresearch/enforce-csp

Enforce CSP in Production
mozilla · Feb 8, 2016 · 1a2d8f7 · 1a2d8f7
2 parents 8f2a628 + f3a1c4b
commit 1a2d8f7
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 3 deletions.
diff --git a/settings.py b/settings.py
@@ -101,7 +101,6 @@
 }
 
 # CSP report endpoint which returns a 204 from addons-nginx in local dev.
-CSP_REPORT_ONLY = False
 CSP_REPORT_URI = '/csp-report'
 
 # Allow GA over http + www subdomain in local development.

diff --git a/src/olympia/conf/dev/settings.py b/src/olympia/conf/dev/settings.py
@@ -10,7 +10,6 @@
 
 # Allow addons-dev CDN for CSP.
 DEV_CDN_HOST = 'https://addons-dev-cdn.allizom.org'
-CSP_REPORT_ONLY = False
 CSP_FONT_SRC += (DEV_CDN_HOST,)
 CSP_FRAME_SRC += ('https://www.sandbox.paypal.com',)
 CSP_IMG_SRC += (DEV_CDN_HOST,)

diff --git a/src/olympia/lib/settings_base.py b/src/olympia/lib/settings_base.py
@@ -1274,7 +1274,7 @@ def JINJA_CONFIG():
 ANALYTICS_HOST = 'https://ssl.google-analytics.com'
 
 CSP_REPORT_URI = '/__cspreport__'
-CSP_REPORT_ONLY = True
+CSP_REPORT_ONLY = False
 CSP_EXCLUDE_URL_PREFIXES = ()
 
 # NOTE: CSP_DEFAULT_SRC MUST be set otherwise things not set