CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

SecurityMiddleware: Add child-src

Browse Source
This commit is contained in:
Raphael Michel
2016-09-17 23:18:51 +02:00
parent 9a0967c0e2
commit 852e3cced7
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pretix/base/middleware.py
View File

@@ -157,12 +157,14 @@ class SecurityMiddleware:
'default-src': "{static}",
'script-src': '{static} https://checkout.stripe.com https://js.stripe.com',
'object-src': "'none'",
# frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
'frame-src': '{static} https://checkout.stripe.com https://js.stripe.com',
'child-src': '{static} https://checkout.stripe.com https://js.stripe.com',
'style-src': "{static}",
'connect-src': "{dynamic} https://checkout.stripe.com",
'img-src': "{static} data: https://*.stripe.com",
# form-action is not only used to match on form actions, but also on URLs
# form-ations redirect to. In the context of e.g. payment providers or
# form-actions redirect to. In the context of e.g. payment providers or
# single-sign-on this can be nearly anything so we cannot really restrict
# this. However, we'll restrict it to HTTPS.
'form-action': "{dynamic} https:",