From d035799d2494ef5d129b129c0e88c6c07693042c Mon Sep 17 00:00:00 2001
From: James Hobin <jhobin@ptc.com>
Date: Mon, 13 Mar 2023 11:52:32 -0400
Subject: [PATCH] Add very bad Content-Security-Policy

---
 libraries/LocalUIApp.js | 5 +++++
 server.js               | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/libraries/LocalUIApp.js b/libraries/LocalUIApp.js
index 72f05da10..db07cb2f0 100644
--- a/libraries/LocalUIApp.js
+++ b/libraries/LocalUIApp.js
@@ -34,6 +34,11 @@ class LocalUIApp {
         this.loadResources();
 
         this.app.use(cors());
+        this.app.use((req, res, next) => {
+            res.setHeader('Content-Security-Policy', `default-src 'self' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; object-src 'self' blob: *; style-src 'self' *; frame-src 'self' *;`);
+            next();
+        });
+
         this.app.use('/addons/sources', (req, res) => {
             res.send(this.sources);
         });
diff --git a/server.js b/server.js
index 69f1443fe..5220d966c 100644
--- a/server.js
+++ b/server.js
@@ -368,6 +368,11 @@ var cheerio = require('cheerio');
 // allow requests from all origins. TODO make it dependent on the local network. this is important for security
 webServer.use(cors());
 
+webServer.use((req, res, next) => {
+    res.setHeader('Content-Security-Policy', `default-src 'self' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; object-src 'self' blob: *; style-src 'self' *; frame-src 'self' *;`);
+    next();
+});
+
 // Image resizing library, not available on mobile
 let Jimp = null;
 if (!isLightweightMobile) {