From 51b5ac7d09db2a927df7e3645844ba9f5533ba2f Mon Sep 17 00:00:00 2001
From: Kevin Meinhardt <kmeinhardt@mozilla.com>
Date: Mon, 10 Mar 2025 20:53:45 +0100
Subject: [PATCH] exclude /api from CSP??

---
 src/olympia/lib/settings_base.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/olympia/lib/settings_base.py b/src/olympia/lib/settings_base.py
index 73e58399ccf4..4861bbd99545 100644
--- a/src/olympia/lib/settings_base.py
+++ b/src/olympia/lib/settings_base.py
@@ -1079,7 +1079,7 @@ def get_db_config(environ_var, atomic_requests=True):
 
 CSP_REPORT_URI = '/__cspreport__'
 CSP_REPORT_ONLY = False
-CSP_EXCLUDE_URL_PREFIXES = ()
+CSP_EXCLUDE_URL_PREFIXES = ('/api',)
 
 # NOTE: CSP_DEFAULT_SRC MUST be set otherwise things not set
 # will default to being open to anything.
@@ -1110,7 +1110,6 @@ def get_db_config(environ_var, atomic_requests=True):
 CSP_OBJECT_SRC = ("'none'",)
 
 CSP_SCRIPT_SRC = (
-    "'self'",
     GOOGLE_ANALYTICS_HOST,
     GOOGLE_TAGMANAGER_HOST,
     'https://www.recaptcha.net/recaptcha/',