I need to do some changes to our website, as our CSP prevents Safari from accessing it. Also, the whole security rating of the website is, let's put it nicely, rather bad. Now, is there any way to test changes made to CSP locally, without deploying to the server? I tried ngrok, but that doesn't seem to work (doesn't transmit headers). I'm rather new at this, so any tips would be appreciated!
Update: You can now do this by overriding response headers in Chrome: https://developer.chrome.com/docs/devtools/overrides/#override-headers
You can do this with Fiddler. Modify FiddlerScript and insert the following code inside the OnBeforeResponse function:
if (oSession.uriContains('<insert relevant part of url here>')){
oSession.ResponseHeaders.Remove("Content-Security-Policy"); //If you want to replace an existing CSP
oSession.ResponseHeaders.Add("Content-Security-Policy", "<csp value>");
}
Another option is to deploy Content-Security-Policy-Report-Only instead. You will see all the violations as errors in the browser console, but nothing will actually be blocked.