From e4953032dbf4ee4ff77575678c338f69691c56e7 Mon Sep 17 00:00:00 2001
From: philli-m <5871230+philli-m@users.noreply.github.com>
Date: Thu, 26 Oct 2023 14:37:00 +0200
Subject: [PATCH] settings/dev: update csp to include BO js on older browsers
 and updagrade requests to be secure fixes #844

---
 digitalstrategie/settings/dev.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/digitalstrategie/settings/dev.py b/digitalstrategie/settings/dev.py
index 0e8bc15f..cc00f3ca 100644
--- a/digitalstrategie/settings/dev.py
+++ b/digitalstrategie/settings/dev.py
@@ -46,7 +46,13 @@
 # CSP for development (not very strict)
 CSP_DEFAULT_SRC = ["'self'"]
 # unsafe-eval only for testing
-CSP_SCRIPT_SRC = ["'unsafe-eval'"]
+CSP_SCRIPT_SRC = [
+    "'unsafe-eval'",
+    "'self'",
+    "https://stats.liqd.net",
+    "https://berlin.de",
+    "https://www.berlin.de",
+]
 CSP_SCRIPT_SRC_ATTR = ["'none'"]
 # wagtail (and webpack during dev) requires unsafe-inline
 CSP_SCRIPT_SRC_ELEM = [
@@ -93,3 +99,4 @@
 CSP_WORKER_SRC = ["'none'"]
 CSP_EXCLUDE_URL_PREFIXES = "/admin"
 CSP_REPORT_ONLY = False
+CSP_UPGRADE_INSECURE_REQUESTS = True