CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

PayPal2: Allow all https-pages to be framed, addressing CSP+popover issues (Z#23111577)

Browse Source
This commit is contained in:
Martin Gross
2022-11-10 19:10:03 +01:00
parent 845b3a866b
commit a5be7dcff5
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/pretix/plugins/paypal2/signals.py
View File

@@ -149,7 +149,16 @@ def signal_process_response(sender, request: HttpRequest, response: HttpResponse
csps = {
'script-src': ['https://www.paypal.com', "'nonce-{}'".format(_nonce(request))],
'frame-src': ['https://www.paypal.com', 'https://www.sandbox.paypal.com', "'nonce-{}'".format(_nonce(request))],
# When the stars align in an unpredictable manner and the temperature is just right, the PayPal SDK might
# decide to not open a popup for the payment process (which is in turn not tied to our CSP) but instead
# use a popover directly on the purchase page. Unfortunately, the latter will be tied to our CSP even when
# trying to iframe banking pages such as giropay and SOFORT.
# Until PayPal figures a way around this (or at least provides a way to inhibit the popover), we'll allow to
# frame any https page only on the pay-page.
# Ref: Z#23111577
# 'frame-src': ['https://www.paypal.com', 'https://www.sandbox.paypal.com', "'nonce-{}'".format(_nonce(request))],
'frame-src': ['https:', "'nonce-{}'".format(_nonce(request))],
'connect-src': ['https://www.paypal.com', 'https://www.sandbox.paypal.com'], # Or not - seems to only affect PayPal logging...
'img-src': ['https://t.paypal.com'],
'style-src': ["'nonce-{}'".format(_nonce(request))]