From 59a0788dfa1d05ad7eda5b3346822ce2c70ec360 Mon Sep 17 00:00:00 2001
From: Ivan Sebastian <ivantedja@gmail.com>
Date: Tue, 25 Oct 2016 23:59:25 +0700
Subject: [PATCH] fix optimizely csp for script-src

---
 server/middlewares/csp.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/server/middlewares/csp.js b/server/middlewares/csp.js
index 5ef54e1f93c..27e997e07b8 100644
--- a/server/middlewares/csp.js
+++ b/server/middlewares/csp.js
@@ -14,9 +14,9 @@ export default function csp() {
   return helmet.contentSecurityPolicy({
     directives: {
       defaultSrc: trusted.concat([
-        '*.optimizely.com',
         'https://*.cloudflare.com',
-        '*.cloudflare.com'
+        '*.cloudflare.com',
+        'https://*.optimizely.com'
       ]),
       scriptSrc: [
         "'unsafe-eval'",
@@ -33,7 +33,8 @@ export default function csp() {
         '*.twimg.com',
         'https://*.twimg.com',
         '*.youtube.com',
-        '*.ytimg.com'
+        '*.ytimg.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       styleSrc: [
         "'unsafe-inline'",
@@ -42,7 +43,8 @@ export default function csp() {
         '*.bootstrapcdn.com',
         'https://*.bootstrapcdn.com',
         '*.cloudflare.com',
-        'https://*.cloudflare.com'
+        'https://*.cloudflare.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       fontSrc: [
         '*.cloudflare.com',
@@ -50,7 +52,8 @@ export default function csp() {
         '*.bootstrapcdn.com',
         '*.googleapis.com',
         '*.gstatic.com',
-        'https://*.bootstrapcdn.com'
+        'https://*.bootstrapcdn.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       imgSrc: [
         // allow all input since we have user submitted images for