CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Fixed problems with PayPal and CSP

Browse Source
This commit is contained in:
Raphael Michel
2016-05-02 09:48:56 +02:00
parent 765ae39fa0
commit bda0075613
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pretix/base/middleware.py
View File

@@ -152,7 +152,11 @@ class SecurityMiddleware:
'frame-src': '{static} https://js.stripe.com', 'frame-src': '{static} https://js.stripe.com',
'style-src': "{static}", 'style-src': "{static}",
'img-src': "{static} data: https://*.stripe.com", 'img-src': "{static} data: https://*.stripe.com",
'form-action': "{dynamic}", # form-action is not only used to match on form actions, but also on URLs
# form-ations redirect to. In the context of e.g. payment providers or
# single-sign-on this can be nearly anything so we cannot really restrict
# this. However, we'll restrict it to HTTPS.
'form-action': "{dynamic} https:",
} }
if 'Content-Security-Policy' in resp: if 'Content-Security-Policy' in resp:
h.update(self._parse_csp(resp['Content-Security-Policy'])) h.update(self._parse_csp(resp['Content-Security-Policy']))