CSP: Remove child-src, as it is redundant with frame-src and will get deprecated again

2026-05-04 15:04:03 +00:00 · 2020-07-21 10:59:13 +02:00
parent 12b5d6663e
commit 19fa2fb016
1 changed files with 0 additions and 2 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -199,9 +199,7 @@ class SecurityMiddleware(MiddlewareMixin):
            'default-src': ["{static}"],
            'script-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
            'object-src': ["'none'"],
-            # frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
            'frame-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
-            'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
            'style-src': ["{static}", "{media}"],
            'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"] + img_src,