felixfoertsch/tildes
1
0
Fork 0
mirror of https://gitlab.com/tildes/tildes.git synced 2026-04-17 06:48:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add frame-src to CSP for Stripe

Browse Source 
The Stripe Checkout redirect was getting blocked by the Content Security
Policy, and requires being allowed through frame-src like this.
This commit is contained in:
Deimos
2019-09-20 15:23:46 -06:00
parent 6819b1917e
commit 63b935927a
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/salt/nginx/tildes.conf.jinja2
View File

@@ -32,8 +32,8 @@ server {
# Content Security Policy:
# - "img-src data:" is needed for Spectre.css icons
# - "script-src https://js.stripe.com" is needed for Stripe donation page
add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
# - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
{% endif %}
add_header X-Content-Type-Options "nosniff" always;