Add csp_additional_header config option

doc/admin/config.rst

@@ -105,7 +105,12 @@ Example::
 
 ``csp_log``
     Log violations of the Content Security Policy (CSP). Defaults to ``on``.
-    
+
+``csp_additional_header``
+    Specifies a CSP header that will be **merged** with pretix's default header. For example, if you set this
+    to ``script-src https://mycdn.com``, pretix will add ``https://mycdn.com`` as an **additional** allowed source
+    to all CSP headers. Empty by default.
+
 ``loglevel``
     Set console and file log level (``DEBUG``, ``INFO``, ``WARNING``, ``ERROR`` or ``CRITICAL``). Defaults to ``INFO``.
 

src/pretix/base/middleware.py

@@ -228,6 +228,8 @@ class SecurityMiddleware(MiddlewareMixin):
             h['report-uri'] = ["/csp_report/"]
         if 'Content-Security-Policy' in resp:
             _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
+        if settings.CSP_ADDITIONAL_HEADER:
+            _merge_csp(h, _parse_csp(settings.CSP_ADDITIONAL_HEADER))
 
         staticdomain = "'self'"
         dynamicdomain = "'self'"

src/pretix/settings.py

@@ -62,6 +62,7 @@ else:
 debug_fallback = "runserver" in sys.argv
 DEBUG = config.getboolean('django', 'debug', fallback=debug_fallback)
 LOG_CSP = config.getboolean('pretix', 'csp_log', fallback=True)
+CSP_ADDITIONAL_HEADER = config.get('pretix', 'csp_additional_header', fallback=True)
 
 PDFTK = config.get('tools', 'pdftk', fallback=None)