cleaner way to modify CSP for Stripe scripts

2025-06-15 09:45:50 +02:00 · 2025-06-15 09:45:50 +02:00 · b2b3f98a73
commit b2b3f98a73
parent 122b0d1c0e
8 changed files with 22 additions and 35 deletions
--- a/liberapay/constants.py
+++ b/liberapay/constants.py
@ -64,6 +64,22 @@ CARD_BRANDS = {
 }


+# https://docs.stripe.com/security/guide?csp=csp-js#content-security-policy
+CSP_STRIPE = (
+    (b'connect-src', b"api.stripe.com"),
+    (b'frame-src', b"*.js.stripe.com js.stripe.com hooks.stripe.com"),
+    (b'script-src', b"*.js.stripe.com js.stripe.com"),
+)
+
+# https://docs.stripe.com/security/guide?csp=csp-connect#content-security-policy
+CSP_STRIPE_CONNECT = (
+    (b'frame-src', b"connect-js.stripe.com js.stripe.com"),
+    (b'img-src', b"*.stripe.com"),
+    (b'script-src', b"connect-js.stripe.com js.stripe.com"),
+    (b'style-src', b"sha256-0hAheEzaMe6uXIKV4EehS9pu1am1lj/KnnzrOYqckXk="),
+)
+
+
 class _DonationLimits(MoneyAutoConvertDict):

    def generate_value(self, currency):
--- a/liberapay/main.py
+++ b/liberapay/main.py
@ -48,7 +48,7 @@ from liberapay.payin.cron import (
    send_upcoming_debit_notifications,
 )
 from liberapay.security import authentication, csrf, set_default_security_headers
-from liberapay.security.csp import csp_allow, csp_allow_stripe, csp_allow_stripe_connect
+from liberapay.security.csp import csp_allow
 from liberapay.utils import (
    b64decode_s, b64encode_s, erase_cookie, http_caching, set_cookie,
 )
@ -408,14 +408,6 @@ if hasattr(pando.Response, 'csp_allow'):
    raise Warning('pando.Response.csp_allow() already exists')
 pando.Response.csp_allow = csp_allow

-if hasattr(pando.Response, 'csp_allow_stripe'):
-    raise Warning('pando.Response.csp_allow_stripe() already exists')
-pando.Response.csp_allow_stripe = csp_allow_stripe
-
-if hasattr(pando.Response, 'csp_allow_stripe_connect'):
-    raise Warning('pando.Response.csp_allow_stripe_connect() already exists')
-pando.Response.csp_allow_stripe_connect = csp_allow_stripe_connect
-
 if hasattr(pando.Response, 'encode_url'):
    raise Warning('pando.Response.encode_url() already exists')
 def _encode_url(url):
--- a/liberapay/security/csp.py
+++ b/liberapay/security/csp.py
@ -33,24 +33,3 @@ def csp_allow(response, *items: Tuple[bytes, bytes]) -> None:
            old_value = d.get(b'default-src')
        d[directive] = b'%s %s' % (old_value, value) if old_value else value
    response.headers[b'content-security-policy'] = CSP(d)
-
-
-def csp_allow_stripe(response) -> None:
-    # https://docs.stripe.com/security/guide?csp=csp-js#content-security-policy
-    csp_allow(
-        response,
-        (b'connect-src', b"api.stripe.com"),
-        (b'frame-src', b"*.js.stripe.com js.stripe.com hooks.stripe.com"),
-        (b'script-src', b"*.js.stripe.com js.stripe.com"),
-    )
-
-
-def csp_allow_stripe_connect(response) -> None:
-    # https://docs.stripe.com/security/guide?csp=csp-connect#content-security-policy
-    csp_allow(
-        response,
-        (b'frame-src', b"connect-js.stripe.com js.stripe.com"),
-        (b'img-src', b"*.stripe.com"),
-        (b'script-src', b"connect-js.stripe.com js.stripe.com"),
-        (b'style-src', b"sha256-0hAheEzaMe6uXIKV4EehS9pu1am1lj/KnnzrOYqckXk="),
-    )
--- a/www/%username/giving/pay/stripe/%payin_id.spt
+++ b/www/%username/giving/pay/stripe/%payin_id.spt
@ -584,6 +584,6 @@ title = _("Funding your donations")
 % endblock

 % block scripts
-    % do response.csp_allow_stripe()
+    % do response.csp_allow(*constants.CSP_STRIPE)
    <script src="https://js.stripe.com/v3/"></script>
 % endblock
--- a/www/%username/payment/stripe/create.spt
+++ b/www/%username/payment/stripe/create.spt
@ -135,6 +135,6 @@ title = _("Create a {provider} account", provider='Stripe')
 % endblock

 % block scripts
-    % do response.csp_allow_stripe()
+    % do response.csp_allow(*constants.CSP_STRIPE)
    <script src="https://js.stripe.com/v3/"></script>
 % endblock
--- a/www/%username/payment/stripe/manage.spt
+++ b/www/%username/payment/stripe/manage.spt
@ -101,6 +101,6 @@ title = _("Manage a {provider} account", provider='Stripe')
 % endblock

 % block scripts
-    % do response.csp_allow_stripe_connect()
+    % do response.csp_allow(*constants.CSP_STRIPE_CONNECT)
    <script src="https://connect-js.stripe.com/v1.0/connect.js"></script>
 % endblock
--- a/www/%username/payment/stripe/onboard.spt
+++ b/www/%username/payment/stripe/onboard.spt
@ -56,6 +56,6 @@ title = _("Activate a {provider} account", provider='Stripe')
 % endblock

 % block scripts
-    % do response.csp_allow_stripe_connect()
+    % do response.csp_allow(*constants.CSP_STRIPE_CONNECT)
    <script src="https://connect-js.stripe.com/v1.0/connect.js"></script>
 % endblock
--- a/www/%username/routes/add.spt
+++ b/www/%username/routes/add.spt
@ -141,6 +141,6 @@ title = _("Add a payment instrument")
 % endblock

 % block scripts
-    % do response.csp_allow_stripe()
+    % do response.csp_allow(*constants.CSP_STRIPE)
    <script src="https://js.stripe.com/v3/"></script>
 % endblock