From d44eb67deceff332927a12e54d612e72bb187f17 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Wed, 14 Feb 2018 11:50:10 +0100
Subject: [PATCH] Allow http: forms during testing

---
 src/pretix/base/middleware.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index 81308a9bbe..741238f14a 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -187,7 +187,7 @@ class SecurityMiddleware(MiddlewareMixin):
             # form-actions redirect to. In the context of e.g. payment providers or
             # single-sign-on this can be nearly anything so we cannot really restrict
             # this. However, we'll restrict it to HTTPS.
-            'form-action': ["{dynamic}", "https:"],
+            'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []),
             'report-uri': ["/csp_report/"],
         }
         if 'Content-Security-Policy' in resp: