Allow to disable CSP from config file (can be useful with docker)

cmd/serve.go

@@ -22,7 +22,6 @@ import (
 
 var flagAllowRoot bool
 var flagAppdirs []string
-var flagDisableCSP bool
 var flagDevMode bool
 
 // serveCmd represents the serve command
@@ -59,13 +58,6 @@ example), you can use the --appdir flag like this:
 			config.BuildMode = config.ModeDev
 		}
 
-		if flagDisableCSP {
-			if !config.IsDevRelease() {
-				return errors.New("Using --disable-csp is allowed only for development")
-			}
-			config.GetConfig().CSPDisabled = true
-		}
-
 		var apps map[string]string
 		if len(flagAppdirs) > 0 {
 			apps = make(map[string]string)
@@ -218,7 +210,8 @@ func init() {
 	flags.BoolVar(&flagAllowRoot, "allow-root", false, "Allow to start as root (disabled by default)")
 	flags.StringSliceVar(&flagAppdirs, "appdir", nil, "Mount a directory as the 'app' application")
 
-	flags.BoolVar(&flagDisableCSP, "disable-csp", false, "Disable the Content Security Policy (only available for development)")
+	flags.Bool("disable-csp", false, "Disable the Content Security Policy (only available for development)")
+	checkNoErr(viper.BindPFlag("disable_csp", flags.Lookup("disable-csp")))
 
 	flags.String("csp-whitelist", "", "Whitelisted domains for the default allowed origins of the Content Secury Policy")
 	checkNoErr(viper.BindPFlag("csp_whitelist", flags.Lookup("csp-whitelist")))

cozy.example.yaml

@@ -224,6 +224,9 @@ csp_whitelist:
   # style:  https://whitelisted.domain.com/
   # font:   https://whitelisted.domain.com/
 
+# It can useful to disable the CSP policy to debug and test things in local
+# disable_csp: true
+
 log:
   # logger level (debug, info, warning, panic, fatal) - flags: --log-level
   level: info

pkg/config/config.go

@@ -629,6 +629,10 @@ func UseViper(v *viper.Viper) error {
 		CSPWhitelist: v.GetStringMapString("csp_whitelist"),
 	}
 
+	if IsDevRelease() && v.GetBool("disable_csp") {
+		config.CSPDisabled = true
+	}
+
 	return logger.Init(config.Logger)
 }