CSP in development

[thernstig]

I found this:

speed-insights/packages/web/src/utils.ts

Line 77 in 23ab42e

return 'https://va.vercel-scripts.com/v1/speed-insights/script.debug.js';

But I found no reference to it anywhere in the docs. And to avoid CSP errors in development, I had to add these two:

script-src 'self' 'unsafe-eval' 'unsafe-inline' https://va.vercel-scripts.com;
connect-src 'self' https://vitals.vercel-insights.com;

The two https addresses are due to Speed Insights in development. In production it works differently by loading the scripts from my own domain, so self captures that properly.

This is a bit annoying since I then have to make special logic for development just for these domains for script-src and connect-src.

Is it possible to remove the reliance on the network requests also in development and instead load the scripts from the local directory?