From 19fa2fb016ef9aaaeee989f4dd36bc395f742052 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Tue, 21 Jul 2020 10:59:13 +0200
Subject: [PATCH] CSP: Remove child-src, as it is redundant with frame-src and
 will get deprecated again

---
 src/pretix/base/middleware.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index ce8c78ca91..253f335a33 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -199,9 +199,7 @@ class SecurityMiddleware(MiddlewareMixin):
             'default-src': ["{static}"],
             'script-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
             'object-src': ["'none'"],
-            # frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
             'frame-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
-            'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
             'style-src': ["{static}", "{media}"],
             'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
             'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"] + img_src,