From 94bc4d310e9b24ee4914a24bdef62d3367b65a5e Mon Sep 17 00:00:00 2001
From: Mrugesh Mohapatra <me@raisedadead.com>
Date: Tue, 6 Dec 2016 12:07:01 +0000
Subject: [PATCH] fix(csp): add optimizely for csp errors in production

This commit fixes the issues with optimizely scripts and bring the
file in sync with the staging.
---
 server/middlewares/csp.js | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/server/middlewares/csp.js b/server/middlewares/csp.js
index da71631824..27e997e07b 100644
--- a/server/middlewares/csp.js
+++ b/server/middlewares/csp.js
@@ -5,13 +5,19 @@ let trusted = [
 ];
 
 if (process.env.NODE_ENV !== 'production') {
-  trusted.push('ws://localhost:3001');
+  trusted = trusted.concat([
+    'ws://localhost:3000'
+  ]);
 }
 
 export default function csp() {
   return helmet.contentSecurityPolicy({
     directives: {
-      defaultSrc: trusted.concat('*.optimizely.com'),
+      defaultSrc: trusted.concat([
+        'https://*.cloudflare.com',
+        '*.cloudflare.com',
+        'https://*.optimizely.com'
+      ]),
       scriptSrc: [
         "'unsafe-eval'",
         "'unsafe-inline'",
@@ -27,7 +33,8 @@ export default function csp() {
         '*.twimg.com',
         'https://*.twimg.com',
         '*.youtube.com',
-        '*.ytimg.com'
+        '*.ytimg.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       styleSrc: [
         "'unsafe-inline'",
@@ -36,7 +43,8 @@ export default function csp() {
         '*.bootstrapcdn.com',
         'https://*.bootstrapcdn.com',
         '*.cloudflare.com',
-        'https://*.cloudflare.com'
+        'https://*.cloudflare.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       fontSrc: [
         '*.cloudflare.com',
@@ -44,7 +52,8 @@ export default function csp() {
         '*.bootstrapcdn.com',
         '*.googleapis.com',
         '*.gstatic.com',
-        'https://*.bootstrapcdn.com'
+        'https://*.bootstrapcdn.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       imgSrc: [
         // allow all input since we have user submitted images for