Map the content_security_policy header to the request_uri.

ansible/roles/nginx_site_config/templates/tildes.conf.jinja2

@@ -11,6 +11,15 @@ map $sent_http_content_type $expires_type_map {
     ~image/ max;
 }
 
+map $request_uri $csp_header {
+    # The default CSP:
+    # - "img-src data:" is needed for Spectre.css icons
+    default "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+    # The CSP for the Stripe donation page:
+    # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
+    "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+}
+
 server {
     # block bots that don't obey robots.txt
     if ($http_user_agent ~* (SemrushBot)) {
@@ -39,10 +48,7 @@ server {
     {% endif %}
 
     {% if nginx_enable_csp %}
-      # Content Security Policy:
-      #   - "img-src data:" is needed for Spectre.css icons
-      #   - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
-      add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
+      add_header Content-Security-Policy $csp_header always;
     {% endif %}
 
     add_header X-Content-Type-Options "nosniff" always;