From e0dee96990bdc282e28e48996dcee532d1f6477f Mon Sep 17 00:00:00 2001
From: Rory Abraham <47436092+roryabraham@users.noreply.github.com>
Date: Thu, 7 Jul 2022 18:58:24 -0700
Subject: [PATCH] Revert "[Prod QA] Fix CSP for statement frames on Desktop"

---
 desktop/main.js | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/desktop/main.js b/desktop/main.js
index 879d60f78d76..05361d0b2fdb 100644
--- a/desktop/main.js
+++ b/desktop/main.js
@@ -47,7 +47,6 @@ _.assign(console, log.functions);
 // until it detects that it has been upgraded to the correct version.
 
 const EXPECTED_UPDATE_VERSION_FLAG = '--expected-update-version';
-const APP_DOMAIN = __DEV__ ? `http://localhost:${port}` : 'app://*';
 
 let expectedUpdateVersion;
 for (let i = 0; i < process.argv.length; i++) {
@@ -160,19 +159,18 @@ const mainWindow = (() => {
                     details.requestHeaders.referer = CONFIG.EXPENSIFY.URL_EXPENSIFY_CASH;
                     callback({requestHeaders: details.requestHeaders});
                 });
-            }
 
-            // Modify access-control-allow-origin header and CSP for the response
-            webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => {
-                details.responseHeaders['access-control-allow-origin'] = [APP_DOMAIN];
-                if (details.responseHeaders['content-security-policy']) {
-                    details.responseHeaders['content-security-policy'] = _.map(
-                        details.responseHeaders['content-security-policy'],
-                        value => (value.startsWith('frame-ancestors') ? `${value} ${APP_DOMAIN}` : value),
-                    );
-                }
-                callback({responseHeaders: details.responseHeaders});
-            });
+                // Modify access-control-allow-origin header for the response
+                webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => {
+                    details.responseHeaders['access-control-allow-origin'] = ['app://-'];
+                    callback({responseHeaders: details.responseHeaders});
+                });
+            } else {
+                webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => {
+                    details.responseHeaders['access-control-allow-origin'] = [`http://localhost:${process.env.PORT}`];
+                    callback({responseHeaders: details.responseHeaders});
+                });
+            }
             /* eslint-enable */
 
             // Prod and staging overwrite the app name in the electron-builder config, so only update it here for dev