From 79756a6b0fe8784f6f23a2e8a43c8ecbb4019387 Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@tedunangst.com>
Date: Fri, 4 Aug 2023 13:06:24 -0400
Subject: [PATCH] don't report csp violations by default

---
 web.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/web.go b/web.go
index a6b0eb5..2249f9a 100644
--- a/web.go
+++ b/web.go
@@ -2560,6 +2560,9 @@ func apihandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func fiveoh(w http.ResponseWriter, r *http.Request) {
+	if !develMode {
+		return
+	}
 	fd, err := os.OpenFile("violations.json", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
 	if err != nil {
 		elog.Printf("error opening violations! %s", err)
@@ -2606,7 +2609,11 @@ func bgmonitor() {
 
 func addcspheaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; report-uri /csp-violation")
+		policy := "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'"
+		if develMode {
+			policy += "; report-uri /csp-violation"
+		}
+		w.Header().Set("Content-Security-Policy", policy)
 		next.ServeHTTP(w, r)
 	})
 }