From c96d7ff1caaf184868e24ac9c256a9cc562ac643 Mon Sep 17 00:00:00 2001
From: si458 <simonsmith5521@gmail.com>
Date: Wed, 5 Feb 2025 11:32:56 +0000
Subject: [PATCH] remove CSP for web relay as apps dont load properly with the
 default set #6456

Signed-off-by: si458 <simonsmith5521@gmail.com>
---
 apprelays.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apprelays.js b/apprelays.js
index 5a9172ac..cd6bc5fa 100644
--- a/apprelays.js
+++ b/apprelays.js
@@ -719,7 +719,8 @@ module.exports.CreateWebRelay = function (parent, db, args, domain, mtype) {
                     }
                     else if (blockHeaders.indexOf(i) == -1) { obj.res.set(i.trim(), header[i]); } // Set the headers if not blocked
                 }
-                obj.res.set('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"); // Set an "allow all" policy, see if the can restrict this in the future
+                // Dont set any Content-Security-Policy at all because some applications like Node-Red, access external websites from there javascript which would be forbidden by the below CSP
+                //obj.res.set('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"); // Set an "allow all" policy, see if the can restrict this in the future
                 //obj.res.set('Content-Security-Policy', "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';"); // Set an "allow all" policy, see if the can restrict this in the future
                 obj.res.set('Cache-Control', 'no-store'); // Tell the browser not to cache the responses since since the relay port can be used for many relays
             }