Can't stage the site locally

[kwalrath]

Describe the problem

I haven't been able to stage the site locally today. I suspect this problem is related to #3540.

To be clear, I can serve the site at localhost:4000, but it looks terrible (no css, no images, no js). If I push to an external staging server (https://kw-staging-dartlang-2.web.app), it seems to work.

Expected fix

Either provide a way to run the site using http, or help me figure out a workaround that still lets me serve the site locally.

Additional context

Here's how the local version renders:

And here are the errors I see:

25Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:19 Refused to load the image 'http://localhost:4000/assets/shared/dart/icon/64.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:20 Refused to load the image 'http://localhost:4000/assets/touch-icon-iphone-e3508110f3a82952e9c32329c69f90a37ee8fd1cffdae50b94f0c40b24584463.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:21 Refused to load the image 'http://localhost:4000/assets/touch-icon-ipad-b4b39129d04a26106a2e172514c4690abf0f2570edc91e0491307bffd23b8a07.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:22 Refused to load the image 'http://localhost:4000/assets/touch-icon-iphone-retina-5498c853d0f2c7f9a26bf06206bdf7eb672962d4a3e38890dbd3d6bae1937abd.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:23 Refused to load the image 'http://localhost:4000/assets/touch-icon-ipad-retina-4de20dd3e147050229a7a917c902fc0104349da4ab6b709ea89069bf3486910b.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/shared/dart/logo+text/horizontal/white-e71fb382ad5229792cc704b3ee7a88f8013e986d6e34f0956d89c453b454d0a5.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/paint-your-ui.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/paint-your-ui.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/supported%20by%20google@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/multiplatform%20performance%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/client%20optimised%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/productive%20dev%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/svg/1-1%20async%20await.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/multiplatform%20performance%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/svg/2-1%20hot%20reload%20iterative%20changes.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/productive%20dev%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/svg/3-1%20-%20aot%20compile.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/client%20optimised%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/multiplatform%20performance%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/svg/1-1%20async%20await.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/svg/2-1%20hot%20reload%20iterative%20changes.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/productive%20dev%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/2x/multiplatform%20performance%20light%20op1@2x.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/dash/svg/3-1%20-%20aot%20compile.svg' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load the image 'http://localhost:4000/assets/shared/dart/icon/64.png' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:37 Refused to load the stylesheet 'http://localhost:4000/assets/main-852a0684b377adbf5274d3681d07596d66dbe5465de65fa69b3bbb15a55c27f2.css' because it violates the following Content Security Policy directive: "style-src https: 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

(index):44 Refused to load the script 'http://www.google-analytics.com/analytics.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'sha256-cTJIwsgB4Xj1loi9AdzTWk3GZ5Kx0NremLhkGfw9zWc=' 'sha256-acZJdbnwXvMNQmfri3ENcArTn+GH3sY664c1uY0xxpg=' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://gstatic.com https://*.gstatic.com https://dartpad.dev https://*.dartpad.dev https://youtube.com https://*.youtube.com https://fonts.googleapis.com https://doubleclick.net https://*.doubleclick.net https://google.com https://*.google.com https://storage.googleapis.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(anonymous) @ (index):44
localhost/:1 Refused to load media from 'http://localhost:4000/assets/dash/video/hotreload.webm' because it violates the following Content Security Policy directive: "default-src https:". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

localhost/:1 Refused to load media from 'http://localhost:4000/assets/dash/video/hotreload.mp4' because it violates the following Content Security Policy directive: "default-src https:". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

content_script_compiled.js:32 Uncaught SecurityError: Sandbox access violation: Blocked a frame at "null" from accessing a frame at "https://dartpad.dev".  The frame requesting access is sandboxed and lacks the "allow-same-origin" flag.
(anonymous) @ content_script_compiled.js:32
localhost/:1 Refused to load the stylesheet 'http://localhost:4000/assets/main-852a0684b377adbf5274d3681d07596d66dbe5465de65fa69b3bbb15a55c27f2.css' because it violates the following Content Security Policy directive: "style-src https: 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

DevTools failed to load source map: Could not load content for http://localhost:4000/assets/dash/js/dartpad_picker_main.dart.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load source map: Could not load content for https://dartpad.dev/packages/split/split.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load source map: Could not load content for https://dartpad.dev/scripts/embed_dart.dart.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

[parlough]

Sorry about that, let me know if you experience any further issues!

Fixed by e491c81

[kwalrath]

Thanks for fixing this!