Externalize more resources, implement Content-Security-Policy headers

src/pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js

@@ -1,4 +1,4 @@
-/*global $, stripe_pubkey, stripe_loadingmessage */
+/*global $, stripe_pubkey, stripe_loadingmessage, gettext */
 'use strict';
 
 var Stripe = null;
@@ -44,7 +44,7 @@ var pretixstripe = {
         }
     },
     'request': function () {
-        waitingDialog.show(stripe_loading_message);
+        waitingDialog.show(gettext("Contacting Stripe…"));
         $(".stripe-errors").hide();
         Stripe.card.createToken(
             {
@@ -80,7 +80,7 @@ var pretixstripe = {
                 url: 'https://js.stripe.com/v2/',
                 dataType: 'script',
                 success: function () {
-                    Stripe.setPublishableKey(stripe_pubkey);
+                    Stripe.setPublishableKey($.trim($("#stripe_pubkey").html()));
                 }
             }
         );

src/pretix/plugins/stripe/templates/pretixplugins/stripe/presale_head.html

@@ -5,7 +5,5 @@
 {% compress js %}
     <script type="text/javascript" src="{% static "pretixplugins/stripe/pretix-stripe.js" %}"></script>
 {% endcompress %}
-<script type="text/javascript">
-    var stripe_pubkey = '{{ settings.publishable_key }}';
-    var stripe_loading_message = '{% trans "Contacting Stripe…" %}';
-</script>
+<script type="text/plain" id="stripe_pubkey">{{ settings.publishable_key }}</script>
+