From 6ba2846bf84efcf545d42b51d08f3860d8ec9d64 Mon Sep 17 00:00:00 2001
From: Josh Larson <theMutatedShrimp@gmail.com>
Date: Tue, 1 Oct 2024 14:33:21 -0400
Subject: [PATCH] feat: Remove local-dev Content Security Policy (#2179)

---
 config/runtime.exs | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/config/runtime.exs b/config/runtime.exs
index 80d7449bd3..719d293896 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -229,21 +229,10 @@ case config_env() do
              "; "
            )
 
+  # Dev is only used for local development, so we don't need, and in
+  # fact actively do not want, a restrictive CSP
   :dev ->
-    config :dotcom,
-           :content_security_policy_definition,
-           Enum.join(
-             [
-               "default-src 'none'",
-               "img-src 'self' cdn.mbta.com #{System.get_env("CMS_API_BASE_URL", "")} *.google.com *.googleapis.com *.gstatic.com mbta-map-tiles-dev.s3.amazonaws.com data: i.ytimg.com www.googletagmanager.com",
-               "style-src 'self' 'unsafe-inline' localhost:* www.gstatic.com cdn.jsdelivr.net",
-               "script-src 'self' 'unsafe-eval' 'unsafe-inline' localhost:* www.instagram.com *.google.com www.gstatic.com www.googletagmanager.com www.google-analytics.com *.googleapis.com data.mbta.com",
-               "font-src 'self' localhost:*",
-               "connect-src 'self' localhost:* ws://localhost:* *.googleapis.com",
-               "frame-src 'self' localhost:* data.mbta.com www.youtube.com www.google.com cdn.knightlab.com livestream.com www.instagram.com"
-             ],
-             "; "
-           )
+    config :dotcom, :content_security_policy_definition, "*"
 
   :test ->
     config :dotcom, :content_security_policy_definition, ""