From a02935c15f0bdda66b30f8391575a8e6da1f1d6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Chopin?= <seb@chopin.io>
Date: Fri, 13 Apr 2018 12:37:32 +0200
Subject: [PATCH] fix: Fix CSP in development mode, add unsafe-eval

---
 lib/core/middleware/nuxt.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/core/middleware/nuxt.js b/lib/core/middleware/nuxt.js
index 97a1981a7b..6f4fde6cbe 100644
--- a/lib/core/middleware/nuxt.js
+++ b/lib/core/middleware/nuxt.js
@@ -71,10 +71,10 @@ export default async function nuxtMiddleware(req, res, next) {
     if (this.options.render.csp && this.options.render.csp.enabled) {
       const allowedSources = this.options.render.csp.allowedSources
       const policies = this.options.render.csp.policies
-      let cspStr = `script-src 'self' ${(cspScriptSrcHashes).join(' ')}`
+      let cspStr = `script-src 'self'${this.options.dev ? " 'unsafe-eval'" : ''} ${(cspScriptSrcHashes).join(' ')}`
       if (Array.isArray(allowedSources)) {
         // For compatible section
-        cspStr = `script-src 'self' ${cspScriptSrcHashes.concat(allowedSources).join(' ')}`
+        cspStr += ' ' + allowedSources.join(' ')
       } else if (typeof policies === 'object' && policies !== null && !Array.isArray(policies)) {
         // Set default policy if necessary
         if (!policies['script-src'] || !Array.isArray(policies['script-src'])) {