From e58adaf64a05e8d4b75d5147465fb429b036f4a2 Mon Sep 17 00:00:00 2001
From: MareStare <mare.stare.official@gmail.com>
Date: Tue, 4 Mar 2025 02:34:55 +0000
Subject: [PATCH 1/5] Relax SCP in dev env to allow for private IPs

---
 .../plugs/content_security_policy_plug.ex     | 31 ++++++++++++++++---
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/lib/philomena_web/plugs/content_security_policy_plug.ex b/lib/philomena_web/plugs/content_security_policy_plug.ex
index 854cb613..2ef5b819 100644
--- a/lib/philomena_web/plugs/content_security_policy_plug.ex
+++ b/lib/philomena_web/plugs/content_security_policy_plug.ex
@@ -25,8 +25,8 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
 
       csp_config = [
         {:default_src, ["'self'"]},
-        {:script_src, [default_script_src() | script_src]},
-        {:connect_src, [default_connect_src()]},
+        {:script_src, [default_script_src(conn.host) | script_src]},
+        {:connect_src, [default_connect_src(conn.host)]},
         {:style_src, [default_style_src() | style_src]},
         {:object_src, ["'none'"]},
         {:frame_ancestors, ["'none'"]},
@@ -66,10 +66,31 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
   defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri()
   defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri()
 
-  defp default_script_src, do: vite_hmr?(do: "'self' localhost:5173", else: "'self'")
+  # Use the "current host" in vite HMR mode for whatever the "current host" is.
+  # Usually it's `localhost`, but it may be some other private IP address, that
+  # you use to test the frontend on a mobile device connected via a local Wi-Fi.
+  defp default_script_src(host) do
+    # Workaround for a compile warning where `host` variable is unused if we
+    # inline the if branches into the `vite_hmr?` macro.
+    is_vite_hmr = vite_hmr?(do: true, else: false)
 
-  defp default_connect_src,
-    do: vite_hmr?(do: "'self' localhost:5173 ws://localhost:5173", else: "'self'")
+    if is_vite_hmr do
+      "'self' #{host}:5173"
+    else
+      "'self'"
+    end
+  end
+
+  defp default_connect_src(host) do
+    # Same workaround as in `default_script_src/1`
+    is_vite_hmr = vite_hmr?(do: true, else: false)
+
+    if is_vite_hmr do
+      "'self' #{host}:5173 ws://#{host}:5173"
+    else
+      "'self'"
+    end
+  end
 
   defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")
 

From 2e5688974049efffcbf9b71eb56ef7d59a714e36 Mon Sep 17 00:00:00 2001
From: MareStare <mare.stare.official@gmail.com>
Date: Tue, 4 Mar 2025 05:23:27 +0200
Subject: [PATCH 2/5] Simplify my noob attempt at working around a warning
 inside a macro. Thanks Liam

Co-authored-by: liamwhite <liamwhite@users.noreply.github.com>
---
 .../plugs/content_security_policy_plug.ex          | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/lib/philomena_web/plugs/content_security_policy_plug.ex b/lib/philomena_web/plugs/content_security_policy_plug.ex
index 2ef5b819..b4a72e8f 100644
--- a/lib/philomena_web/plugs/content_security_policy_plug.ex
+++ b/lib/philomena_web/plugs/content_security_policy_plug.ex
@@ -69,16 +69,10 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
   # Use the "current host" in vite HMR mode for whatever the "current host" is.
   # Usually it's `localhost`, but it may be some other private IP address, that
   # you use to test the frontend on a mobile device connected via a local Wi-Fi.
-  defp default_script_src(host) do
-    # Workaround for a compile warning where `host` variable is unused if we
-    # inline the if branches into the `vite_hmr?` macro.
-    is_vite_hmr = vite_hmr?(do: true, else: false)
-
-    if is_vite_hmr do
-      "'self' #{host}:5173"
-    else
-      "'self'"
-    end
+  vite_hmr? do
+    defp default_script_src(host), do: "'self' #{host}:5173"
+  else
+    defp default_script_src(_host), do: "'self'"
   end
 
   defp default_connect_src(host) do

From 3296bc0a918e90287c426e94a96bd7f552b719e1 Mon Sep 17 00:00:00 2001
From: MareStare <mare.stare.official@gmail.com>
Date: Tue, 4 Mar 2025 03:25:09 +0000
Subject: [PATCH 3/5] Wrap default_connect_src as well

---
 .../plugs/content_security_policy_plug.ex           | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/lib/philomena_web/plugs/content_security_policy_plug.ex b/lib/philomena_web/plugs/content_security_policy_plug.ex
index b4a72e8f..c9ff684e 100644
--- a/lib/philomena_web/plugs/content_security_policy_plug.ex
+++ b/lib/philomena_web/plugs/content_security_policy_plug.ex
@@ -75,15 +75,10 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
     defp default_script_src(_host), do: "'self'"
   end
 
-  defp default_connect_src(host) do
-    # Same workaround as in `default_script_src/1`
-    is_vite_hmr = vite_hmr?(do: true, else: false)
-
-    if is_vite_hmr do
-      "'self' #{host}:5173 ws://#{host}:5173"
-    else
-      "'self'"
-    end
+  vite_hmr? do
+    defp default_connect_src(host), do: "'self' #{host}:5173 ws://#{host}:5173"
+  else
+    defp default_connect_src(_host), do: "'self'"
   end
 
   defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")

From e795dfc7cdc5568979070b506406d1b261c6bcd4 Mon Sep 17 00:00:00 2001
From: MareStare <mare.stare.official@gmail.com>
Date: Tue, 4 Mar 2025 03:25:53 +0000
Subject: [PATCH 4/5] Fold both functions into a single `vite_hmr?`

---
 lib/philomena_web/plugs/content_security_policy_plug.ex | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/lib/philomena_web/plugs/content_security_policy_plug.ex b/lib/philomena_web/plugs/content_security_policy_plug.ex
index c9ff684e..48f68dd9 100644
--- a/lib/philomena_web/plugs/content_security_policy_plug.ex
+++ b/lib/philomena_web/plugs/content_security_policy_plug.ex
@@ -71,14 +71,10 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
   # you use to test the frontend on a mobile device connected via a local Wi-Fi.
   vite_hmr? do
     defp default_script_src(host), do: "'self' #{host}:5173"
-  else
-    defp default_script_src(_host), do: "'self'"
-  end
-
-  vite_hmr? do
     defp default_connect_src(host), do: "'self' #{host}:5173 ws://#{host}:5173"
   else
     defp default_connect_src(_host), do: "'self'"
+    defp default_script_src(_host), do: "'self'"
   end
 
   defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")

From 6468bdacdf7d87bc8bd2e9af278b1b193f2276a3 Mon Sep 17 00:00:00 2001
From: MareStare <mare.stare.official@gmail.com>
Date: Tue, 4 Mar 2025 03:33:24 +0000
Subject: [PATCH 5/5] Move `default_style_src` into the `vite_hmr?` block too

---
 lib/philomena_web/plugs/content_security_policy_plug.ex | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/philomena_web/plugs/content_security_policy_plug.ex b/lib/philomena_web/plugs/content_security_policy_plug.ex
index 48f68dd9..32ff15e4 100644
--- a/lib/philomena_web/plugs/content_security_policy_plug.ex
+++ b/lib/philomena_web/plugs/content_security_policy_plug.ex
@@ -72,13 +72,13 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
   vite_hmr? do
     defp default_script_src(host), do: "'self' #{host}:5173"
     defp default_connect_src(host), do: "'self' #{host}:5173 ws://#{host}:5173"
+    defp default_style_src, do: "'self' 'unsafe-inline'"
   else
     defp default_connect_src(_host), do: "'self'"
     defp default_script_src(_host), do: "'self'"
+    defp default_style_src, do: "'self'"
   end
 
-  defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")
-
   defp to_uri(host) when host in [nil, ""], do: ""
   defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})