From b54f4575ee151755779ab26a8818c8499be1ff4e Mon Sep 17 00:00:00 2001
From: Danny Coates <dannycoates@gmail.com>
Date: Wed, 15 Nov 2017 10:54:13 -0800
Subject: [PATCH] allow inline styles. fixes #644

---
 server/routes/index.js | 42 ++++++++++++++++++++----------------------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/server/routes/index.js b/server/routes/index.js
index 97ab2ca7..7230d455 100644
--- a/server/routes/index.js
+++ b/server/routes/index.js
@@ -42,28 +42,26 @@ module.exports = function(app) {
       force: !IS_DEV
     })
   );
-  if (!IS_DEV) {
-    app.use(
-      helmet.contentSecurityPolicy({
-        directives: {
-          defaultSrc: ["'self'"],
-          connectSrc: [
-            "'self'",
-            'https://sentry.prod.mozaws.net',
-            'https://www.google-analytics.com'
-          ],
-          imgSrc: ["'self'", 'https://www.google-analytics.com'],
-          scriptSrc: ["'self'"],
-          styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
-          fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
-          formAction: ["'none'"],
-          frameAncestors: ["'none'"],
-          objectSrc: ["'none'"],
-          reportUri: '/__cspreport__'
-        }
-      })
-    );
-  }
+  app.use(
+    helmet.contentSecurityPolicy({
+      directives: {
+        defaultSrc: ["'self'"],
+        connectSrc: [
+          "'self'",
+          'https://sentry.prod.mozaws.net',
+          'https://www.google-analytics.com'
+        ],
+        imgSrc: ["'self'", 'https://www.google-analytics.com'],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'", 'https://code.cdn.mozilla.net'],
+        fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
+        formAction: ["'none'"],
+        frameAncestors: ["'none'"],
+        objectSrc: ["'none'"],
+        reportUri: '/__cspreport__'
+      }
+    })
+  );
   app.use(
     busboy({
       limits: {