Update the CSP to only allow Stripe on the donation page. (!90) · Merge requests · Tildes / tildes

Bauke requested to merge Bauke/tildes:stripe-csp into master Jan 29, 2020

This adds the CSP map so when the request is for ^~/donate_stripe it will use the CSP where Stripe's external resources is allowed. And otherwise it will use the default one.

For the default CSP I used the original one from this commit without the Stripe script-src and data: from img-src.

I don't know if this is the correct CSP or if it even works, but it's something to get started.

Update the CSP to only allow Stripe on the donation page.

Merge request reports