feat: CSP_DISABLE env option

README.md

@@ -70,6 +70,9 @@ PORT=
 # for MODE: `server` gets value from api/package.json `configuration.sasPath`
 SAS_PATH=/path/to/sas/executable.exe
 
+# optional
+# When `true` it will disable strict Content Security Policy
+CSP_DISABLE=true
 
 # optional
 # for MODE: `desktop`, prompts user

api/src/app.ts

@@ -25,7 +25,7 @@ const app = express()
 app.use(cookieParser())
 app.use(morgan('tiny'))
 
-const { MODE, CORS, WHITELIST, PROTOCOL } = process.env
+const { MODE, CORS, WHITELIST, PROTOCOL, CSP_DISABLE } = process.env
 
 export const cookieOptions = {
   secure: PROTOCOL === 'https',
@@ -41,16 +41,18 @@ export const csrfProtection = csrf({ cookie: cookieOptions })
 /***********************************
  *   Handle security and origin    *
  ***********************************/
-app.use(
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
-        'script-src': ["'self'", "'unsafe-inline'"]
+if (CSP_DISABLE !== 'true') {
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+          'script-src': ["'self'", "'unsafe-inline'"]
+        }
       }
-    }
-  })
-)
+    })
+  )
+}
 
 /***********************************
  *         Enabling CORS           *

web/package.json

@@ -20,6 +20,7 @@
     "@types/node": "^12.20.28",
     "@types/react": "^17.0.27",
     "axios": "^0.24.0",
+    "monaco-editor": "^0.33.0",
     "monaco-editor-webpack-plugin": "^7.0.1",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",