diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index b244f1ecb4..5188d27006 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -157,12 +157,14 @@ class SecurityMiddleware:
             'default-src': "{static}",
             'script-src': '{static} https://checkout.stripe.com https://js.stripe.com',
             'object-src': "'none'",
+            # frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
             'frame-src': '{static} https://checkout.stripe.com https://js.stripe.com',
+            'child-src': '{static} https://checkout.stripe.com https://js.stripe.com',
             'style-src': "{static}",
             'connect-src': "{dynamic} https://checkout.stripe.com",
             'img-src': "{static} data: https://*.stripe.com",
             # form-action is not only used to match on form actions, but also on URLs
-            # form-ations redirect to. In the context of e.g. payment providers or
+            # form-actions redirect to. In the context of e.g. payment providers or
             # single-sign-on this can be nearly anything so we cannot really restrict
             # this. However, we'll restrict it to HTTPS.
             'form-action': "{dynamic} https:",